Private browsing mode versus a browser set to keep nothing on exit

April 17, 2019

These days, apparently a steadily increasing variety of websites are refusing to let you visit their site if you're in private browsing or incognito mode. These websites are advertising that their business model is invading your privacy (not that that's news), but what I find interesting is that these sites don't react when I visit them in a Firefox that has a custom history setting of 'clear history when Firefox closes'. As far as I can tell this still purges cookies and other website traces as effectively as private browsing mode does, and it has the side benefit for me that Firefox is willing to remember website logins.

(I discovered this difference between the two modes in the aftermath of moving away from Chrome.)

So, this is where I say that everyone should do this instead of using private browsing mode? No, not at all. To be bluntly honest, my solution is barely usable for me, never mind someone who isn't completely familiar with Firefox profiles and capable of wiring up a complex environment that makes it relatively easy to open a URL in a particular profile. Unfortunately Firefox profiles are not particularly usable, so much so that Firefox had to invent an entire additional concept (container tabs) in order to get a reasonably approachable version.

(Plus, of course, Private Browsing/Incognito is effectively a special purpose profile. It's so successful in large part because browsers have worked hard to make it extremely accessible.)

Firefox stores and tracks cookies (and presumably local storage) on a per-container basis, for obvious reasons, but apparently doesn't have per-container settings for how long they last or when they get purged. Your browsing history is global; history entries are not tagged with what container they're from. Mozilla's Firefox Multi-Account Containers addon looks like it makes containers more flexible and usable, but I don't think it changes how cookies work here, unfortunately; if you keep cookies in general, you keep them for all containers.

I don't think you can see what container a given cookie comes from through Firefox's normal Preferences stuff, but you can with addons like Cookie Quick Manager. Interestingly, it turns out that Cookie AutoDelete can be set to be container aware, with different rules for different containers. Although I haven't tried to do this, I suspect that you could set CAD so that your 'default' container (ie your normal Firefox session) kept cookies but you had another container that always threw them away, and then set Multi-Account Containers so that selected annoying websites always opened in that special 'CAD throws away all cookies' container.

(As covered in the Cookie AutoDelete wiki, CAD can't selectively remove Firefox localstorage for a site in only some containers; it's all or nothing. If you've set up a pseudo-private mode container for some websites, you probably don't care about this. It may even be a feature that any localstorage they snuck onto you in another container gets thrown away.)

Comments on this page:

Do they say this? Do you know how they are (or could be) detecting this?

I would have guessed it was due to the Firefox default "blocks known trackers in Private Windows", which effectively means all current third-party advertising. Are you seeing this in Chrome / Chromium as well?

By cks at 2019-04-18 00:46:08:

The New York Times website will say this if you try to read an article while in private browsing mode, among others. I don't know how they're detecting private browsing mode and I haven't tested to see if their detection works in Chrome as well, for its Incognito mode. I'd expect that there's a little bit of an arms race between Mozilla and such people and this may change over time; my impression is that Mozilla probably doesn't want Private Browsing to be readily detectable.

By DeronLJ at 2019-04-18 13:56:08:

Firefox disables IndexedDB in private browsing. If a site attempts to use this and it fails, it assumes that you are using private browsing. So even if you are not in private browsing, if you flip dom.indexedDB.enabled in about:config and try to access one of these sites, you will see the same message.

Another privacy alternative for Firefox is an add-on such as Temporary Containers.

Written on 17 April 2019.
« How Linux starts non-system software RAID arrays during boot under systemd
A pattern for dealing with missing metrics in Prometheus in simple cases »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Apr 17 00:46:39 2019
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.