@cypnk there's a private browsing mode in FF too. What I wonder is if this site detects FF private mode too.

@rysiek Yup. It does. It only happens when I enable JavaScript so Firefox is leaking incognito mode info as well

@cypnk right, so they're using JavaScript to detect this? Interesting.

@rysiek Yeah. Something either failing in adblocking (I have uBlock Origin) or there's a secondary route that's causing the browser itself to leak the status

@cypnk @rysiek
maybe they just check if you have any tracking cookies, and if you don't, then you're probably using private mode.

@rysiek @cypnk afaik it's possible to detect visited links, so you can check if a specific url has been visited.
If history is turned off entirely, you can add a redirect or push a history item through JS, then add an <a> element somewhere with the same URL and check its state.

@cypnk @rysiek it actually seems like that specific attack vector has been taken care of:
https://stackoverflow.com/questions/7290959/how-can-i-detect-visited-and-unvisited-links-on-a-page#7291538

@grainloom @rysiek Once again, JS proves to be the weak point

@grainloom @cypnk yeah, it's an old one. I remember this being a think some decade ago or so.

@rysiek @cypnk they have other ways though, at least for detecting if something has been loaded (this probly won't detect private browsing): measuring loading times.
If stg has been cached, it will load faster.
This, afaik, does not have a mitigation.
(but it still doesn't answer how private browsing is detected)