[i_v]

I was surprised to see that this tracking works across both regular and private browsing in Firefox (67.0.4 on macOS). I can see the number of visits increment and whatever message I've saved on either side is displayed to both.

[soheil]

It is creating a new session it's just that the server code uses a deterministic session key which is created based on your IP address and user agent. So as long as you use the same browser/IP combo you will get assigned the same etag, (at least user-agent is in there otherwise it would be extra trippy to load the page on FF and go to Safari and see the # visits/message displayed there too)

  $etag = substr(sha1($secret . sha1($_SERVER["REMOTE_ADDR"]) . sha1($_SERVER["HTTP_USER_AGENT"])), 0, 18);

[i_v]

You're right! That sort of negates the opening statement though:

> This tracking method works without needing to use: [...] Your IP address or user agent string

The author even notes in the source, "Normally you would derive this from randomness." I wonder what the reasoning was for this strategy?

[Santosh83]

Why is private browsing mode not emptying the cache then? Seems to be contrary to the very purpose of the mode...

[pdkl95]

Private browsing mode wasn't (originally) intended to to prevent tracking by websites. It's goal was to keep your browsing history locally private. (i.e. keep your pr0n viewing out of the local browsing history so your friends wouldn't see what kind of porn you like when they borrow your laptop to check their email.

That definition has expanded a bit (very) recently, but preventing website tracking is usually a separate feature (adblockers, noscript, automatic cookie deletion tools, firefox's recent "tracking blocker").

[paulddraper]

Private browsing was and still is mostly about hiding from other users on the device, not hiding from the people you are connecting to.

---

You’ve gone incognito,

Now you can browse privately, and other people who use this device won’t see your activity.

Your activity might still be visible to:

* Websites you visit

* Your employer or school

* Your internet service provider

[clinta]

I just tested Firefox 67.0.4 and Chromium 75.0.3770.100 on Arch and both have the same behavior. Definitely not something I expected.

[woliveirajr]

It also works even if you use uMatrix and block the loading of images and css, after the image was loaded for the first time.

[username444]

Does this interfere with lazy loading?

[luckylion]

Same for me with Firefox and chromium on Ubuntu. Guess they share the cache with private windows?

[jacobush]

Same for Chrome. Wow. Truck-sized hole, this one.

[hmottestad]

Same for Safari on OSX and iOS.

[jimdigriz]

Should only work for first party though. Safari partitions its cache by the origin in the address bar[1] so your typical advertising tracking should not work.

[1] https://andydavies.me/blog/2018/09/06/safari-caching-and-3rd...

[jedimastert]

Same, actually. Firefox 67.0.4 (64-bit) Windows.

Edit: Submitted a bug

[cbsks]

Can you add a link to the bug you created?