- Investigation of Privacy Mode:
- Good:
- Cookies Cleared+memory only
- Cache cleared and memory-only
- History not available via javascript or CSS
- Safe because currently unsupported:
- Geolocation not supported in browser
- DOM Storage not supported
- HTML5 Storage not supported
- Http auth is cleared
- Do they have a session store?
- Yes. It is disabled.
- Form history disabled
- But non-private entries still available
- Malware and phishing protection
- Per-url check?
- Doesn't seem like it..
- Bad:
- RLZ Identifier sent with all queries even in Incognito mode
- http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=107684
- Flash cookies not cleared
- Google gears are still available
- Do they have their own storage?
- Yes. Completely ignores private mode.
- Safebrowsing API key not cleared?
- but updates may not happen "under" the incognito window
- Desktop resolution available
- Browser resolution is available
- SSL session keys
- Not cleared!
- They clear trusted certs tho
- Timezone not spoofed
- Misc Features we definitely need:
- Incognito-specific proxy settings
- Browser proxy settings currently do not apply immediately
- Plugin enable/disable controls
- Spoof user agent
- Referer alteration API
- Autolaunching of remote apps needs to be disabled
- API to opt-out of all the opt-in tracking for incognito mode
- Cookie API would be nice
- Need network.security.ports.banned
- http://www.remote.org/jochen/sec/hfpa/hfpa.pdf
- Resize windows (content-window side possibly ok)
- Future investigation
- Non-private form history still available
- Forms seem to not be auto-filled, but this may be different
for some fields?
- How evil is google update? will it happen over incognito?