Google to fix Chrome loophole allowing sites to detect Incognito browsers

Websites won't be able to detect if you're using Incognito mode

Chrome on Windows 10

Chrome’s Incognito mode can be a blessing for users who want a bit of privacy when browsing the web. However, you may be surprised to know that a longstanding Chrome flaw enabled developers to detect whether you’re browsing incognito.

Thankfully, this may be set to change.

According to several recent code changes spotted by 9to5Google in the Chromium Gerrit — an online collaboration tool where developers can submit, discuss and implement changes to the open source code that powers Chrome — Google will address a loophole with Incognito mode.

Currently, Chrome’s ‘FileSystem’ API allows web sites to detect if Chrome is in Incognito mode. Applications typically use the API to access and store files — temporarily or permanently — in a device’s file system.

Chrome disables this API in Incognito mode to prevent sites from storing permanent files that would remain after a user exits Incognito mode.

Several websites use this knowledge to detect and block people using Incognito mode. For example, The Boston Globe used the loophole to block users in Incognito mode as it allowed them to bypass its free article limit.

Now, Google plans to cut off this loophole by allowing the FileSystem API in Incognito. The trick, however, is that Chrome will create a virtual file system using RAM. This means websites won’t be able to tell if you’re using Incognito through the FileSystem API and also ensures any files saved using it are deleted when you leave Incognito.

Additionally, 9to5Google obtained some internal design documents that suggest Google wants to remove the API entirely. The document says that the API seems to only be “used by sites to detect Incognito mode.”

Once that ability is removed, Google hopes the usage of the API will shrink enough that the company can deprecate and remove it.

Concerning when users can get their hands on the new feature, the developer behind it says it should be in Chrome 74 for testing before being enabled by default in Chrome 76. If you want to test the feature out when Chrome 74 rolls out, you’ll need to use the ‘#enable-filesystem-in-incognito’ flag in ‘chrome://flags.’

Source: Chromium Gerrit Via: 9to5Google