Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
I'm requesting a TAG review of:
You should also know that...
[please tell us anything you think is relevant to this review]
We'd prefer the TAG provide feedback as (please select one):
Please preview the issue and check that the links work before submitting. In particular, if anything links to a URL which requires authentication (e.g. Google document), please make sure anyone with the link can access the document.
¹ For background, see our explanation of how to write a good explainer.
One question about
What if, say, a very popular app has a pre-populated manifest file specifying avery popular website? We can also assume that the app with manifest is shipped by default, let's say in a very popular operating system.
It seems that this Very Popular app would be able to see that the user is browsing in private browsing mode because the website would expect navigator.getInstalledRelatedApps() return nothing when in private browsing mode (but it would know that this particular OS/browser in fact most likely has the app with a pre-populated).
Case in point could be Apple Maps or Google Maps or other X Y.
That's a very interesting point which I hadn't considered. Let me start by giving some context around why the incognito restriction was added initially. We were worried that a website might force users to use the native application when users are actually trying to use the website in a privacy preserving mode.
I think this is a useful privacy improvement that will benefit all origins. On the other hand, the situation described by @lknik might give a select few websites another signal for fingerprinting privacy preserving mode, although it will still have false positives (when users uninstall the pre-installed apps).
At this point, I believe the benefits of keeping the privacy preserving mode restrictions outweigh those of the alternative.