[RandomBK]

I wonder how far you'd need to shim before you can stamp out detection. I.e. does it really matter if you shim the Filesystem API? A program can just write some data and try to read it back. If the shims just no-oped those API calls, it'd be pretty easy to detect, no?

Chrome Canary's workaround is to store blobs in memory, which one can argue is akin to actually implementing the API and not disabling it.

[yellowapple]

I mean, if the point of the API is to access the filesystem, and you instead redirect those calls to a different in-memory scratch filesystem local to that incognito session and/or tab, then I'd call that shimming to at least some extent; it'd just be an especially thick shim.

[breakingcups]

In that case it might still be detectable by measuring timing of storage and retrieval?

[yellowapple]

Maybe. Adding a delay could further mask that.