1. Private Browsing Firefox 20

Mozilla has released Firefox 15 for iOS with improvements to the Private Browsing mode, the main menu, settings, and tabs.

I'm building an extranet for a company paranoid about security. They want to make sure that (among other things) their users are browsing the site with the Private Browsing mode switched on in their web browser so that no cookies or history is kept.

1. How To Clear Your Private Browsing Data in Firefox. 2) Make sure Browsing History, Saved Form and Search History, Cache, Cookies, Saved Passwords and Authenticated Sessions tick boxes are checked. 3) Click Clear Private Data Now. 4) Close Mozilla Firefox. If you want to clear your private data automatically when you exit Firefox.
2. Tip: To leave Private Mode, close the private window or re-open the Firefox browser. Open the Opera browser. Press the Ctrl+Shift+N keys at the same time. Open the Opera browser. Click the button in the upper-left-hand corner of the window. From the drop-down menu, select New private window.

I found only thishttp://jeremiahgrossman.blogspot.com/2009/03/detecting-private-browsing-mode.htmlandhttps://serverfault.com/questions/18966/force-safari-to-operate-in-private-mode-and-detect-that-state-from-a-webserver

Private Browsing Firefox 20

The ideal solution would use no or minimal javascript. Would attempting to set a unique cookie work for all browsers and platforms? Anyone done this before?

thanks!

update

http://crypto.stanford.edu/~collinj/research/incognito/ uses the CSS visited technique of the browser fingerprinters mentioned by other posters- thanks for the hints.

I like it because it is small and elegant, but still want to be able to do it without javascript if possible.

16 Answers

Update June 2019

Google is removing the ability to detect Private Browsing Mode permanently in Chrome 76 onwards. So, if you're wanting to detect private browsing it's now impossible (unless you find a way to do it that Google hasn't found). The ability to detect private browsing mode has been acknowledged as a bug and was never intended.

To anyone else coming across this question, please note as of 2014, there is no reliable or accurate way to detect if someone is browsing in an incognito/private/safe browsing mode through Javascript or CSS. Previous solutions that once worked like the CSS history hack have since been rendered unusable by all browser vendors.

There should never be a situation where needing to detect private browsing mode on a normal day-to-day website is ever needed. People are choosing to browsing anonymously and or not anonymously for their own reasons.

Browsers like Chrome and Firefox do not disable functionality like localStorage any more. They simply namespace it in a temporary location to prevent websites that use it from erroring out. Once you're finished browsing, the namespace is erased and nothing is saved. If you are testing for localStorage support regardless of mode, it will always return true for browsers that support it.

Other means of detecting private mode in Chrome specifically have been completely patched and will no longer work.

If it is required internally by a company, you should develop a browser plugin. Chrome and Firefox, in particular, expose internal API's which allow plugins to check if the user is in private browsing/incognito mode and action accordingly. It cannot be done outside of a plugin.

Here's an easier way to do detect privacy mode. This works in Safari only. I created it because a web app I am developing uses localStorage. LocalStorage is not available in Safari when in privacy mode, thus my app will not work. On page load, run the script below. It shows an alert box if we cannot use localStorage.

It is possible to detect enabled private browsing modes for the majority of used browsers. This includes Safari, Firefox, IE10, Edge and Google Chrome.

Firefox

When the private browsing mode of Firefox is enabled, the IndexedDB throws an InvalidStateError because it is not available in private browsing mode.

To very if that:

Safari

For Safari, the key is the local storage service. It is disabled in privacy mode. So try to access it and use a try-catch clause.The following method works on both, OSX and iOS devices. Credits for this method are going to this question and answer

IE10/Edge

Internet Explore is even going to disable the IndexedDB when in privacy mode. So check for existence. But that's not sufficient enough, because older browsers maybe don't even have an IDB. So do another check, e.g. for events that only IE10 and subsequent browser have/trigger. A related question on CodeReview can be found here

Chrome

Chromes Incognito mode can be verified by the file system. A great explanation can be found here on SO

Here is my take on detecting private mode

edit found a modern, faster, synkronas way to try it in firefox (they don't have service workers in privat mode) similar to ie don't include indexedDB but the test only works in secure sites

There's no way for your web page to know, absolutely for sure, that the user is in private browsing mode. Any attempts to check for various browser features will need to change often as security implementations are updated. It may work for some time in some browsers, but not all.

If the company is that concerned about security, I'd suggest rolling your own Firefox or Chromium distribution with locked down privacy settings, and only allowing that custom client to connect to the extranet.

The localStorage trick is a bug which has been fixed, and it doesn't work anymore in Safari 11.0.

There is an interesting alternative that works in Safari, Opera and Internet Explorer (not Chrome): those browser send a DNT: 1 header (Do Not Track).

It's not 100% reliable because this header can be enabled for normal browsing (it's disabled by default), but it can help to identify privacy-conscious users.

You're not going to block them if they don't have private browsing enabled.

Why have a smart message box at all?

Would attempting to set a unique cookie work for all browsers and platforms? Anyone done this before?

I think the most elegant solution would be to:

• Perform a security leak test
• If security leak test reveals issue
  • Tell user to check settings
  • Suggest privacy mode

Because as you said, not everyone can or needs to enable privacy mode.

Web browsers behave differently when privacy mode is activated.

On many browsers the caching of resources is limited. It is possible to detect where a browser has been based on their CSS cache. Its possible to conduct this this attack without JavaScript.

The EFF is working on a project to fingerprint browsers. Parts of the browsers fingerprint will be different when privacy mode is activated. Go ahead, try it.

I agree with DigitalSeas's sentiment that we should generally not try to detect if the user is in a 'private browsing' mode. However, I recently discovered that FireFox now subscribes to a service called 'disconnect.me', which provides the url blacklist they use in their 'tracking protection' feature. Since disconnect.me blacklists certain social networks (e.g. Facebook's facebook.net), we found that their SDKs would not load in FireFox. Therefore, it seems reasonable that we could try and detect private browsing mode in order to provide a more useful and precise error message to our users.

With that justification out of the way, this gist claims to provide detection for private browsing in major browsers using tricks specific to those browsers. At the time of this writing (the gist may have been updated by the time you read this) the detection logic is as follows:

I have built a little library that will work on all major platforms and browsers that I have tested: https://github.com/jLynx/PrivateWindowCheck

You can simply call

Well, you wouldn't really distinguish private mode from 'block all cookies' in that way, but apart from that rare situation I guess it should work.

The big problem IMO, is that this is a very very bad site design, not better than the good ol' 'you need browser xxx to see this website' that was common in the '90s. Not all browser have a Private Browsing mode (as much as I despise IE, your cutting out IE7 users for instance) and those users won't be able to access your site at all.

Also, when I'm on the Internet I often have several tabs open with multiple website. It would be really annoying for me to have to switch to private mode just to see that website and not being able to access the other sites at the same time.

One thing you could do would be designing the site using sessions instead of cookies, so they won't be stored (as you don't use them...). And as for the history... really, what's the problem with that?

I've solved this issue by using two HTML pages. The main page define a status variable and set a cookie. The second page is opened in a new window (not tab), read the cookie and set status to the cookie value. Under MSIE, the cookie value is passed to the child page when the main page in normal mode. When in InPrivate Browsing mode, the cookie value is not passed to the child page (but is passed if you open a new tab).

The main.html page:

The child.html page:

I'm using InPrivate Browsing mode in order to prevent Browser Helper Objects (BHO) and browser extensions to be enabled, since BHO are most often malwares which can modify the web pages even if HTTPS and strong authentication are used. Internet Explorer 9 has a 'Disable toolbars and extensions when InPrivate Browsing starts' in its 'Privacy' settings.

However, this is not the ultimate way to prevent malicious browser extension: a malicious extension may change the main page behavior to make it think that the myCookie value has not been set and. We would wrongly assume that we are in InPrivate Browsing mode.

Note that I need cookies for my application so I do not use InPrivate Browsing for that purpose.

Write code to achieve following

1) In firefox test browser version. This method works with version >= 33.0 ( supports service workers ). Cannot use this method with old ( < 33.0 ) versions.

2) Try to set service worker.3) If you can set,use or access a service worker you are 1000% not in private browsing mode as service workers cannot be interacted with on Firefox private browsing mode. I wish that they could be.

Quote:

'In Firefox, Service Worker APIs are hidden and cannot be used when the user is in private browsing mode'

Not sure if its cause this question is old but Firefox does provide documentation on how to detect private browsing mode. However it involves using an import of theirs DXR PrivateBrowsingUtils:

While creating my Safari extension, I found out that it was possible to query the boolean safari.self.browserWindow.activeTab.private. Below worked for me to check whether the browser was open in Private or not but only from the extension.

Source: developer.apple.com Instance Property private

Not the answer you're looking for? Browse other questions tagged javascripthtmlsecuritybrowsercookies or ask your own question.

Private Browsing automatically erases your browsing information, such as passwords, cookies and history, leaving no trace after you end the session. Firefox also has Tracking ProtectionContent Blocking, which prevents hidden trackers from collecting your data across multiple sites and slowing down your browsing.

Table of Contents

There are two ways to open a new Private Window:

Open a new Private Window from the Firefox menu

• Click the menu button and then click .

The Private Browsing home page will open in a new window.

Open a link in a new Private Window

• Right-clickHold down the control key while you click on any link and choose Open Link in New Private Window from the context menu.

• Visited pages: No pages will be added to the list of sites in the History menu, the Library window's history list, or in the address bar drop-down list.
• Form and Search Bar entries: Nothing you enter into text boxes on web pages or the Search bar will be saved for Form autocomplete.
• Passwords: No new passwords will be saved.
• Download List entries: No files you download will be listed in the Downloads Window after you turn off Private Browsing.
• Cookies: Cookies store information about websites you visit such as site preferences, login status, and data used by plugins like Adobe Flash. Cookies can also be used by third parties to track you across websites. See How do I turn on the Do Not Track feature? for more information about tracking. Cookies set in private windows are held temporarily in memory, separate from regular window cookies, and discarded at the end of your private session (after the last private window is closed).
• Cached Web Content and Offline Web Content and User Data: No temporary Internet files (cached files) or files that websites save for offline use will be saved.

• New bookmarks you create while using Private Browsing will be saved.
• Any files you download to your computer while using Private Browsing will be saved.

Firefox is set to remember history by default but you can change this setting in your Firefox Privacy OptionsPreferences:

1. Click the menu button and choose ..
2. Select the Privacy & Security panel and go to the History section.
3. Choose Never remember history from the drop-down menu.
   This is equivalent to always being in Private Browsing mode.

• You can always remove recent browsing, search and download history after visiting a site.
• Read more articles on this topic: Passwords, forms, search, and history - control what Firefox suggests