search

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
17.07k stars 2.23k forks source link

Private browsing session can be detected through `webkitTemporaryStorage` #39520

Open antonok-edm opened 2 weeks ago

antonok-edm commented 2 weeks ago

The following code returns true when executed in a private browsing session ("incognito mode"):

await new Promise(resolve => navigator.webkitTemporaryStorage.queryUsageAndQuota(function(_, quota) {
    const quotaInMib = Math.round(quota / (1024 * 1024));
    const quotaLimitInMib = Math.round(window.performance.memory.jsHeapSizeLimit / (1024 * 1024)) * 2;
    resolve(quotaInMib < quotaLimitInMib);
}))

adapted from Joe12387/detectIncognito

The problematic API here is navigator.webkitTemporaryStorage. The newer, standardized version of that API, navigator.storage, was patched because it allowed sites to detect private tabs, and also because it provided a fingerprintable persistent identifier. We should give the same treatment to this older non-standard API.

antonok-edm commented 2 weeks ago

Note the following Chromium code for QuotaManagerImpl::ContinueIncognitoGetStorageCapacity:

https://source.chromium.org/chromium/chromium/src/+/main:storage/browser/quota/quota_manager_impl.cc;l=2808?q=quota_manager_impl.cc&ss=chromium