I'm not sure these researchers understand how private-browsing functions. The session in a private-browsing window is only private from the non-private sessions and only private from future private-sessions when all private sessions -- private-browsing windows -- are destroyed.
Here I have a non-private session, where I have request i.js (a second time), invoking an If-None-Match check with my non-private ETag of i.js. Opening a private session, my request to i.js does not invoke my non-private session's ETag and subsequent If-None-Match -- i.js is fetched as if my session has no memory of the URI.
In the second shot, I had closed my private session opened in the first test, and I then opened a new private session, without closing my previous non-private session. Again, my private session requests a new i.js, with no idea of the non-private session's nor the first, now closed, private session's version.
The onus is on browsers to restrict inner-private-session storage from leaking between tabs, but it could be quite messy.
The main exceptions to this are Flash cookies. These are shared between all browsers for a given user, since they're stored by the Flash plugin itself and independent of individual browsers' profile storage.
"Starting with Flash Player 10.1, Flash Player actively supports the browser's private browsing mode, managing data in local storage so that it is consistent with private browsing. So when a private browsing session ends, Flash Player will automatically clear any corresponding data in local storage."
FF5 and IE9 function similar. Non-private and private sessions will not cooperate on the same cache, cookies, ETags, etc. Closing a private session will destroy all local cache, cookies, ETags, etc and is not reinstated when starting future private sessions.
http://imgur.com/a/LjjYf
Here I have a non-private session, where I have request i.js (a second time), invoking an If-None-Match check with my non-private ETag of i.js. Opening a private session, my request to i.js does not invoke my non-private session's ETag and subsequent If-None-Match -- i.js is fetched as if my session has no memory of the URI.
In the second shot, I had closed my private session opened in the first test, and I then opened a new private session, without closing my previous non-private session. Again, my private session requests a new i.js, with no idea of the non-private session's nor the first, now closed, private session's version.
The onus is on browsers to restrict inner-private-session storage from leaking between tabs, but it could be quite messy.