Hacker News new | ask | show | jobs
by uxp 5736 days ago
As far as I can determine, Incognito mode just creates a 2nd sandbox for cookies and history that's shared across all Incognito tabs/windows, and is only deleted once you close them all. Cookies you create in one Incognito tab or window are visible to all other Incognito tabs/windows, just as cookies created in plain tabs/windows are visible to all other plain tabs/windows.

Not entirely. The basic test I performed involved me logging into a site with a standard window, then opening a new window and navigating to that site. In the new window, I was logged in, because my cookie was shared and the session could be re-activated. When I opened a new Incognito window and navigated to the same site and logged in, and then opened a new Incognito window to that same site, I was not logged in.

If I was to open a link in a new tab from the logged in Incognito tab, that new tab would inherit the session from the parent tab, but opening a new window or tab and manually navigating to that site forces the site to create a new session.

Similarly, if a malicious site was have some code that tried to steal my session (via iframe or similar), it could only do so in the same incognito tab I had an active session in. I'm not entirely sure if it could do so if the malicious site was opened from a parent tab that created the session, since I have not tested that, but I assume it can since the session was inherited, and thus shared between the two Incognito tabs.

tl;dr: Incognito tabs/windows just don't create a secondary shared storage cache, they'll create as many sandboxed caches as necessary, only taking existing cache's from their parents.
1 comments
dhess 5736 days ago
The basic test I performed involved me logging into a site with a standard window, then opening a new window and navigating to that site. In the new window, I was logged in, because my cookie was shared and the session could be re-activated. When I opened a new Incognito window and navigated to the same site and logged in, and then opened a new Incognito window to that same site, I was not logged in.

Right, I can reproduce this behavior. This much works.

If I was to open a link in a new tab from the logged in Incognito tab, that new tab would inherit the session from the parent tab, but opening a new window or tab and manually navigating to that site forces the site to create a new session.

This behavior I cannot reproduce. Here is what I see:

* Open Chrome. My configuration removes cookies at exit, so I'm in a fresh session with no cookies yet defined.

* Open a new Incognito window with Command-Shift-N. Login to Gmail in this new Incognito tab.

* With the Incognito window as the focus, create a new tab with Command-T.

* In the new Incognito tab, navigate manually to http://google.com/. In this new tab, I'm still signed in to Google with same account I used to login to Gmail.

* Make the standard/plain (non-Incognito) window my focus. Create a new Incognito window with Command-Shift-N.

* In the tab in the new Incognito window, navigate to http://google.com/. In this tab, I'm still signed in to Google with the same account I used to login to Gmail.

So I'm only seeing 2 cookie contexts: one for standard tabs and one for Incognito tabs, regardless of how they're created.. For the record, I'm using the beta channel (currently on 6.0.472.63, Chrome wants me to restart so I'll be on 7).

link