| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by dhess 5737 days ago

As far as I can determine, Incognito mode just creates a 2nd sandbox for cookies and history that's shared across all Incognito tabs/windows, and is only deleted once you close them all. Cookies you create in one Incognito tab or window are visible to all other Incognito tabs/windows, just as cookies created in plain tabs/windows are visible to all other plain tabs/windows. So if you go into Incognito mode and browse there for a few hours, soon you've got a bunch of cookies that are following you around the Internet until you close all your Incognito tabs. In my case, I have Chrome set up to delete all cookies on exit, so Incognito doesn't buy me much: I might as well just quit the browser and restart.

If Incognito mode worked in such a way that each tab were its own cookie sandbox, then I'd be reasonably satisfied with it as a cookie management solution, but as it stands, it's not good enough. (Because each tab is a separate process in Chrome, one would think that it would be reasonably easy to support that behavior.) In lieu of that, what I'd really like is a Chrome extension like Firefox's CookieSafe, where I can block all cookies by default and then whitelist them back in on a site-by-site basis, but nothing like that exists at the moment.

For now, the best I can do is the Tab Cookies extension, which removes a domain's cookies once you close the last tab that's browsing the domain. For my purposes, it's inferior to both of the other solutions I mentioned (per-tab sandboxing and whitelisting), but at least I can keep my footprint reasonably small, as long as I'm diligent about closing tabs.

2 comments

uxp 5737 days ago

Not entirely. The basic test I performed involved me logging into a site with a standard window, then opening a new window and navigating to that site. In the new window, I was logged in, because my cookie was shared and the session could be re-activated. When I opened a new Incognito window and navigated to the same site and logged in, and then opened a new Incognito window to that same site, I was not logged in.

If I was to open a link in a new tab from the logged in Incognito tab, that new tab would inherit the session from the parent tab, but opening a new window or tab and manually navigating to that site forces the site to create a new session.

Similarly, if a malicious site was have some code that tried to steal my session (via iframe or similar), it could only do so in the same incognito tab I had an active session in. I'm not entirely sure if it could do so if the malicious site was opened from a parent tab that created the session, since I have not tested that, but I assume it can since the session was inherited, and thus shared between the two Incognito tabs.

tl;dr: Incognito tabs/windows just don't create a secondary shared storage cache, they'll create as many sandboxed caches as necessary, only taking existing cache's from their parents.

link

dhess 5737 days ago

The basic test I performed involved me logging into a site with a standard window, then opening a new window and navigating to that site. In the new window, I was logged in, because my cookie was shared and the session could be re-activated. When I opened a new Incognito window and navigated to the same site and logged in, and then opened a new Incognito window to that same site, I was not logged in.

Right, I can reproduce this behavior. This much works.

This behavior I cannot reproduce. Here is what I see:

* Open Chrome. My configuration removes cookies at exit, so I'm in a fresh session with no cookies yet defined.

* Open a new Incognito window with Command-Shift-N. Login to Gmail in this new Incognito tab.

* With the Incognito window as the focus, create a new tab with Command-T.

* In the new Incognito tab, navigate manually to http://google.com/. In this new tab, I'm still signed in to Google with same account I used to login to Gmail.

* Make the standard/plain (non-Incognito) window my focus. Create a new Incognito window with Command-Shift-N.

* In the tab in the new Incognito window, navigate to http://google.com/. In this tab, I'm still signed in to Google with the same account I used to login to Gmail.

So I'm only seeing 2 cookie contexts: one for standard tabs and one for Incognito tabs, regardless of how they're created.. For the record, I'm using the beta channel (currently on 6.0.472.63, Chrome wants me to restart so I'll be on 7).

link

stanleydrew 5737 days ago

> what I'd really like is a Chrome extension like Firefox's CookieSafe, where I can block all cookies by default and then whitelist them back in on a site-by-site basis, but nothing like that exists at the moment.

Wait what? That functionality is built into Chrome, and you configure it in the same place that you toggle deletion of all cookies on exit. What you describe above is exactly how I browse in Chrome. No extension necessary.

link

RK 5737 days ago

There's really a night and day difference between CookieSafe style cookie management and what Chrome offers in terms of usability. CookieSafe is much nicer and no Chrome extensions seem to offer anything similar.

link

stanleydrew 5736 days ago

I haven't used CookieSafe but I have no doubt that its functionality is more advanced than Chrome's built-in options. Chrome doesn't expose the internal APIs required to control Cookie functionality to the extension system. So we're "stuck" with that Chrome gives us, which is more than good enough for my needs.

link

dhess 5737 days ago

For the sake of brevity, I didn't go into detail about how CookieSafe works, but try it out and you'll see why it's an entirely different experience than creating a static whitelist in a browser dialog box.

link