Having the option to switch over to Chrome’s incognito mode at any time is comforting for many users, but it isn’t a foolproof tool. While you may value your privacy, not all web developers do, and as many of them point out on Stack Overflow, it’s surprisingly easy to find out when a visitor is browsing one of their sites in an incognito window. Some of those sites even go so far as to block incognito users altogether, as they can’t track them and deliver them ads, thus making them less valuable. But Google appears to be fighting back against this.
Spotted by 9to5Google last week, a series of recent commits to Chrome’s source code suggest that the browser will create a virtual FileSystem API (which is disabled while in incognito mode) and trick websites into thinking the API is operating normally, taking away the workaround many sites were using to detect incognito users.
Once the virtual API has served its purpose (bypassing sites that block incognito users), it will be deleted at the end of a user’s session, so that no permanent record will be kept. In effect, this should make it impossible to detect when someone in incognito mode visits a site, but a more drastic solution might be in store.
“Since there’s no adoption of the FileSystem API by other browser vendors, it appears to be only used by sites to detect incognito mode,” reads a design document obtained by 9to5Google. “By making this harder, hopefully the overall usage of the API goes down to the point that we can deprecate and remove it.”
It sounds like the FileSystem API isn’t long for this world anyway, so sooner or later, incognito users will be safe. In the meantime, the virtual API fix will be available behind the “chrome://flags” menu in Chrome 74, with a full public release expected for Chrome 76. If you want the feature sooner, download Chrome Canary.