Google Fixing Chrome API To Prevent Incognito Mode Detection

AmiMoJo writes: When browsing the web with Google Chrome, some sites are using a method to determine if a visitor is in a regular browsing session or in incognito mode. As this can be considered a breach of privacy, Google will be changing how a particular API works so that web sites can no longer utilize this technique.

Chrome supports the FileSystem API, which allows sites to create a virtual file system that lives within the sandbox of the browser. This allows sites that utilize large assets, such as online games, to download these assets to a virtual file system so that they do not have to download them each time they are needed. Currently the FileSystem API is not available in incognito sessions, because it leaves files behind and could be considered a privacy risk. Currently the API doesn't work in incognito mode, offering sites a way to check for it. In a Chrome Gerrit post started this week and updated earlier this morning, Google has stated that they are changing the FileSystem API so that it can be used in incognito mode, without the risks to privacy.

Other methods to check

[guruevi]

This has been known for several years (https://stackoverflow.com/questions/2909367/can-you-determine-if-chrome-is-in-incognito-mode-via-a-script)

There are plenty of other methods to check whether or not you're in incognito mode (http://www.collinjackson.com/research/private-browsing.pdf)

Re:Other methods to check

[AmiMoJo]

You will note that after this fix none of the methods outlined in either of your links work any more. The CSS visited link hack was fixed years ago, for example. The paper suggests testing things like SMB links, which are only supported in Internet Explorer anyway.

News Sites

[crow]

Many news sites let you have a few free articles every month. The number gets reset if you clear your cookies, but if you read in incognito mode, you start fresh every time. Taking this into account, I've hit one news site that simply blocks incognito mode. I'll be happy if this breaks their block.

Of course, with the vast number of APIs available now, fingerprinting is just about as good as cookies. Browsers reveal far too much information.

Re:Does not compute

Google's mistake with it's incognito mode was actually having it behave differently rather than having it behave the same and just sandboxing -everything-

There's another thing that incognito mode destroys your privacy with, and that is the browser history if you've visited the site before without incognito. try it, go to google.com and then open an incognito window and start typing google.com, it will auto-fill it. If you open the browser history, it will then toss you back to the non-incognito mode.

That's not very private is it?

Re: Does not compute

[AmiMoJo]

"Here's a tool that lets you review all the data we have, which you explicitly opted in to allowing us to collect and which is used to provide the services you enjoy. Here is a button to disable collecting it, and here is a button to delete it."

"OMG mah privacy!!1"

Re:Does not compute

[AmiMoJo]

Maybe why Google is also starting to block the worst ads by default anyway. Chrome has a built-in ad blocker now.

Re:Written by?

[GuB-42]

TFA "Since the data is kept in memory in the browser process, a malicious website could try to exhaust the memory of the browser process and make it more likely to crash"
Google is the best at algorithms, how could they miss checking such an obvious trait and ensure the FS does not go over x MB?

They didn't miss it, quite the opposite, it is a potential problem they identified for a solution that isn't out yet.
As for limiting to x MB, it is exactly what they intend to do, but while it is an obvious solution, finding the value of x isn't.