Skip to content
Naked Security Naked Security

Google’s working on stopping sites from blocking Incognito mode

Google Chrome's Incognito mode hasn't been an impenetrable privacy shield: For years, it's been a snap for web developers to detect when Chrome users are browsing in private mode and to block site visitors who use it. Now it looks like Google plans to close that loophole.

Google Chrome’s Incognito mode hasn’t been an impenetrable privacy shield: For years, it’s been a snap for web developers to detect when Chrome users are browsing in private mode and to block site visitors who use it.

Google’s known all about it. And finally, 9to5Google reports, it looks like the company plans to close the loophole that’s enabled sites to detect when you’re using Incognito mode.

That loophole: websites have detected Incognito mode by trying to use an API that the mode turns off.

There are many ways to detect Incognito mode: as 9to5Google suggests, if you search for “how to detect Incognito mode,” you’ll find that developers have contributed ways to do so on Stack Overflow.

One easy way has been to sniff out that API: a developer can simply try to use Chrome’s FileSystem API, which is disabled in Incognito mode. That API is used by apps to store files, be it temporarily or more permanently. Incognito shuts it off entirely so that the API won’t create permanent files that could jeopardize somebody’s privacy.

This is what some websites do, particularly if they’ve got content behind a paywall, as does the Boston Globe: they detect and block Incognito users, since such users can’t be tracked and have used the mode to bypass paid subscription requirements.

From a Stack Overflow commenter:

[The] site could detract value by detecting incognito. Boston Globe’s site won’t display its articles in incognito, preventing the user from circumventing their free articles quota.

“This is brilliant!” one dev said after the method was posted in January 2015. “Clean and elegant,” said another in October of that year.

Well, get ready to kiss it goodbye, said yet another developer on Saturday, pointing to a series of recent commits to Chromium’s Gerrit source code management.

The commits show that Google’s working on implementing a virtual file system for Chrome to present when it’s in Incognito mode and a site asks for one. The virtual file system will be created in RAM, to ensure it will be deleted once a user leaves Incognito. 9to5Google’s Kyle Bradshaw:

This should easily shut down all current methods for detecting if Chrome is Incognito.

The developer who’s handling the detection prevention feature said that he’s hoping that it will launch in Chrome 74, with the use of a flag. It should be enabled by default in Chrome 76.

According to Chromium Dash, Chrome 74’s stable release is scheduled for April 23. The stable release for Chrome 76 is slated for July 30.

This could all be just a stopgap, though, given that Google would eventually like to ditch the FileSystem API altogether. According to an internal design document obtained by 9to5Google, once the virtual file system is in place, Google is going to suss out “how many legitimate uses of it remain once the Incognito detection abusers move on.”

Bradshaw quoted from the internal document:

Since there’s no adoption of the FileSystem API by other browser vendors, it appears to be only used by sites to detect incognito mode. By making this harder, hopefully the overall usage of the API goes down to the point that we can deprecate and remove it.


Maybe it’s just me, but if a website owner goes though the trouble of blocking a anonymous visitor to there website that the visitor choose to visit. I would not visit that website ever again and choose to go some place else with my page views and or money..


The FileSystem API method in the linked stack overflow post is only one possible method. There were other replies detailing other methods, and no doubt there are still more that did not appear in replies.

If Google are serious about preventing websites from blocking Incognito mode, they should also discourage the practice via a page rank penalty. Most web developers will stop doing it pretty fast if their traffic volume drops of a cliff because their site is now on page 2 of any search results.

Similar nudges have been very effective at persuading developers to adopt SSL, and to serve mobile optimised sites to users browsing on phones & small tablets.


I had never realised this was a problem – using uBlock Origin with incognito, I can read the Boston Globe just fine.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!