Why it matters: Google is looking to fix an ages-old loophole that allows websites to check to see if a user is in Incognito mode when visiting the site in Chrome.
The most common way that websites detect the mode is by trying to call the “FileSystem” API, which is available in Chrome’s default mode. This API is disabled in Incognito since it can create a permanent record defeating the purpose of private browsing. So if a website tries to access the API, Incognito will throw an error, which triggers the site to display its “turn off Incognito” message.
Google has been aware of this checking method for a long time but finally seems to be doing something about it. According to several recent commits to Chrome’s source code, developers are beginning to tie up this loophole. The plan is to add a virtual file system in RAM to Incognito mode. This way when websites call the FileSystem API, they won’t get an error, and when the user closes the Incognito window, the virtual file system disappears leaving no trace.
"This should easily shut down all current methods for detecting if Chrome is Incognito."
9to5Google obtained an internal document noting that once it implements this “protection,” Google is going to look at eliminating the FileSystem API in future versions.
“Since there’s no adoption of the FileSystem API by other browser vendors, it appears to be only used by sites to detect incognito mode,” the document reads. “By making this harder, hopefully, the overall usage of the API goes down to the point that we can deprecate and remove it.”
Google is aiming to have it ready by Chrome 74 behind a flag and then enabling it by default with Chrome 76. Chrome 74 (Canary) is due to roll out soon. To use the new feature, users will have to apply the flag #enable-filesystem-in-incognito.