Bug 258820 - Private Browsing Detection from JS in Safari
Summary: Private Browsing Detection from JS in Safari
Status: RESOLVED DUPLICATE of bug 156347
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL: https://underpassapp.com/StopTheMadne...
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-07-03 12:25 PDT by Ahmad Saleem
Modified: 2023-07-18 17:30 PDT (History)
10 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ahmad Saleem 2023-07-03 12:25:58 PDT 
Hi WebKit Team,

I came across following test page:

https://underpassapp.com/StopTheMadness/PrivateWindowTest.html

and noticed that websites are able to detect when we are in Private Window at least in Safari (this test case does not reflect this in Chrome but it could be due to UA String filtering or browser level check in this website as well).

Anyway - if you visit this test page, you get 'Private Window: Yes', while this information shouldn't be available to website.

This was added to web extension recently:

Earlier Version relying on WebSQL (but now fixed since Safari 13) - https://lapcatsoftware.com/articles/private-browsing.html

Latest (used by Medium as per Extension Developer) - https://underpassapp.com/news/2023-5-30.html

"I've recently learned that Medium, for example, exploits a newer technique to detect whether you're viewing the web page in a Safari private window. I've created my own test page to demonstrate the technique. I've also created a new StopTheMadness website option to stop it: Protect private windows. This option is enabled by default, so if you update to the latest version of StopTheMadness, you're protected! Private browsing is now really private again."

Appreciate if you can fix this workaround and improve privacy further.

Thanks!
Comment 1 Ahmad Saleem 2023-07-03 12:50:16 PDT 
(function () {
"use strict";
function isPrivate(flag) {
    document.getElementById("status").textContent = flag ? "Yes" : "No";
}

window.indexedDB.open("test", 1).onupgradeneeded = function(event) {
    const db = event.target.result;
    const objectStore = db.createObjectStore("test", { autoIncrement: true });
    try {
        objectStore.put(new Blob());
        isPrivate(false);
    } catch (error) {
        const message = error.message;
        isPrivate(typeof message === "string" && /BlobURLs are not yet supported/.test(message));
    } finally {
        db.close();
        window.indexedDB.deleteDatabase("test");
    }
};
})();

____________

This is JS used by website leveraging IndexedDB.
Comment 2 Radar WebKit Bug Importer 2023-07-10 12:26:18 PDT 
<rdar://problem/112032178>
Comment 3 Charlie Wolfe 2023-07-18 17:30:32 PDT 
Example provided shows that private browsing is detected because blob URls aren't supported.
Comment 4 Charlie Wolfe 2023-07-18 17:30:47 PDT 

*** This bug has been marked as a duplicate of bug 156347 ***