The problematic API here is navigator.webkitTemporaryStorage. The newer, standardized version of that API, navigator.storage, was patched because it allowed sites to detect private tabs, and also because it provided a fingerprintable persistent identifier. We should give the same treatment to this older non-standard API.
The following code returns
true
when executed in a private browsing session ("incognito mode"):adapted from Joe12387/detectIncognito
The problematic API here is
navigator.webkitTemporaryStorage
. The newer, standardized version of that API,navigator.storage
, was patched because it allowed sites to detect private tabs, and also because it provided a fingerprintable persistent identifier. We should give the same treatment to this older non-standard API.