[RandomBK]

Some web APIs are disabled in incognito mode, yet are almost universally present on modern browsers. By attempting to use these APIs, a web page can detect if you are in Incognito. If the API is blocked, they can reasonably assume you are.

[yellowapple]

Sounds like the reasonable thing to do would be to shim those APIs to make them look like they're functional (in fact, it sounds like Chrome Canary is doing exactly that with the filesystem API).

[RandomBK]

I wonder how far you'd need to shim before you can stamp out detection. I.e. does it really matter if you shim the Filesystem API? A program can just write some data and try to read it back. If the shims just no-oped those API calls, it'd be pretty easy to detect, no?

Chrome Canary's workaround is to store blobs in memory, which one can argue is akin to actually implementing the API and not disabling it.

[yellowapple]

I mean, if the point of the API is to access the filesystem, and you instead redirect those calls to a different in-memory scratch filesystem local to that incognito session and/or tab, then I'd call that shimming to at least some extent; it'd just be an especially thick shim.

[breakingcups]

In that case it might still be detectable by measuring timing of storage and retrieval?

[yellowapple]

Maybe. Adding a delay could further mask that.

[sublupo]

Thanks. What were some examples of those APIs?

[JonoW]

I believe FileSystem API is one of them.

[frosted-flakes]

The localStorage API on Safari too, I believe.