Google Proposes Fix to Incognito Mode Leak in Chrome

Google has announced a fix to a privacy problem with browsing Chrome in incognito mode. Chrome supports the FileSystem API in normal browsing mode. However, the FileSystem API is not supported in incognito mode. Accordingly, abusive sites detect whether or not a certain user is browsing in incognito mode simply by trying to use the FileSystem API. This created the privacy problem: an incognito mode leak.

The FileSystem API isn't currently supported in incognito mode because the API leaves traces behind with sites that call the API. Such files potentially threaten the goal of incognito mode. However, to avoid sites from merely using the FileSystem API to detect incognito mode, Google's proposed fix is to support the FileSystem API in incognito mode.

Google's proposed fix is stated in a design doc. According to the doc, the FileSystem API is largely unused for purposes outside of detecting incognito mode. By supporting the API, the hope is that usage is driven down and Google can deprecate the API.

To protect privacy while supporting the FileSystem API, Google has proposed keeping both metadata and actual files in memory instead of relying on the website. The key focus of the change is to protect privacy, so supporting an API that intentionally leaves traces with the target site must be altered to implement this fix.

Be sure to read the next Security article: Drupal Core Code Suffers Remote Code Execution Vulnerability