A new Chrome feature, to be included in future versions of Google’s browser, is expected to finally address a fairly well-known loophole that allows websites to detect and block the use of Incognito Mode browsing.
According to , Google is aware of a trick that web developers have been exploiting which enables them to detect if a user is visiting a website in Chrome’s Incognito mode. This loophole allows websites to block visitors from accessing the site’s content, forcing them to switch out of Incognito mode if they want to view the page.
The workaround is fairly simple. Chrome disables the FileSystem API, which stores application files, when Incognito mode is being used. Websites looking to block private browsing in Chrome can just check for this API when a browser loads the page.
Google is working to fix this exploit by having Chrome create a virtual file system in RAM. By doing this, websites won’t notice the missing API. To ensure data is not saved, this virtual system will automatically delete when a user leaves Incognito mode. According to 9to5Google, the search giant is also looking to completely remove the FileSystem API from Chrome altogether.
Incognito mode allows users to privately surf the internet without site data and browsing history being saved. It also prevents websites from tracking visitors with cookies. While in Incognito mode, users are basically blocking advertisements from targeting them based on their web history. It can also be used to get around article limits on subscription based websites.
One example of a website utilizing this Chrome loophole is The Boston Globe, which replaces articles viewed in Incognito mode with an on-screen prompt in an attempt to stop users from circumventing its paywall.
“You’re using a browser set to private or incognito mode,” says any article page on The Boston Globe’s website. “To continue reading articles in this mode, please log in to your Globe account.”
Google is set to close the loophole via an opt-in feature with Chrome 74, which point out is expected to in April. The option is tentatively expected to be the default option by Chrome 76.
In fact, according to documents obtained by 9to5Google, Google is considering the removal of the API system because the API only seems to be useful for web developers hoping to exploit the Incognito Mode loophole