[Webkit-unassigned] [Bug 258820] New: Private Browsing Detection from JS in Safari

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jul 3 12:25:58 PDT 2023


            Bug ID: 258820
           Summary: Private Browsing Detection from JS in Safari
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
               URL: https://underpassapp.com/StopTheMadness/PrivateWindowT
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ahmad.saleem792 at gmail.com
                CC: ap at webkit.org

Hi WebKit Team,

I came across following test page:


and noticed that websites are able to detect when we are in Private Window at least in Safari (this test case does not reflect this in Chrome but it could be due to UA String filtering or browser level check in this website as well).

Anyway - if you visit this test page, you get 'Private Window: Yes', while this information shouldn't be available to website.

This was added to web extension recently:

Earlier Version relying on WebSQL (but now fixed since Safari 13) - https://lapcatsoftware.com/articles/private-browsing.html

Latest (used by Medium as per Extension Developer) - https://underpassapp.com/news/2023-5-30.html

"I've recently learned that Medium, for example, exploits a newer technique to detect whether you're viewing the web page in a Safari private window. I've created my own test page to demonstrate the technique. I've also created a new StopTheMadness website option to stop it: Protect private windows. This option is enabled by default, so if you update to the latest version of StopTheMadness, you're protected! Private browsing is now really private again."

Appreciate if you can fix this workaround and improve privacy further.


You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230703/0e236039/attachment.htm>

More information about the webkit-unassigned mailing list