How to Outsmart Website Incognito Mode Detection and Blocking
If you‘re a privacy-conscious web user, you‘ve likely used your browser‘s incognito or private browsing mode. Incognito mode prevents your browsing history, cookies, and site data from being saved on your device. It‘s a popular way to log into multiple accounts, bypass soft paywalls, or access region-restricted content.
However, some websites have started detecting and blocking visitors who use incognito mode. You may see "please disable private browsing mode" messages or be denied access entirely. For example, the Boston Globe and Los Angeles Times block incognito users to prevent circumvention of their metered paywalls.
As a web developer, I was curious how incognito detection worked and if it could be bypassed. With a little sleuthing and experimentation, I found I could outsmart these detection scripts with some simple client-side modifications. Here‘s how I did it.
How websites detect incognito mode
Browsers don‘t provide any direct way for websites to determine if incognito mode is active. However, they can check for incognito-specific side effects using a variety of methods:
-
The most common is probing for the
FileSystemAPI, which incognito mode disables. A site can check if the API exists:if (window.webkitRequestFileSystem) { // Not incognito } else { // Incognito detected! } -
Incognito mode also partitions LocalStorage differently. Sites can check for this by:
- Setting a value in LocalStorage
- Opening an iframe to itself
- Trying to read the value from within the iframe
localStorage.setItem(‘test‘, ‘1‘); var iframe = document.createElement(‘iframe‘); iframe.onload = function() { var match = iframe.contentWindow.localStorage.getItem(‘test‘) === ‘1‘; if (match) { // Not incognito } else { // Incognito detected! } }; iframe.src = location.href; document.body.appendChild(iframe);
Other less reliable signals like sizing limits on Indexed DB can also be used as a weak heuristic for incognito. Browser fingerprinting services may bundle multiple incognito checks as part of their detection scripts.
Bypassing incognito detection
Through dev tool investigations, I found the Boston Globe‘s incognito detection relied on checking for the FileSystem API as shown above. To bypass this, we need to intercept the site‘s JavaScript and modify the API to always look available.
There are a few ways to inject custom client-side code:
- Using a browser extension
- Through a userscript manager like Tampermonkey or Greasemonkey
- Via the browser console
I opted to use the popular Tampermonkey extension, which provides a convenient way to modify selected sites with custom userscripts. Tampermonkey is available for Chrome, Microsoft Edge, Safari, Opera Next, and Firefox.
Here are the steps to create an incognito-bypassing userscript:
- Install Tampermonkey from the Chrome web store or Firefox add-ons site
- Click the Tampermonkey icon and select "Create a new script…"
-
Replace the default script template with:
// ==UserScript== // @name Incognito Bypass // @version 0.1 // @description Fakes the FileSystem API to avoid incognito detection // @match https://www.bostonglobe.com/* // @grant none // ==/UserScript== (function() { ‘use strict‘; // Only run in incognito mode if (window.webkitRequestFileSystem) return; // Monkey-patch the FileSystem API to return true window.webkitRequestFileSystem = window.RequestFileSystem = function(fs) { return fs(0, 0, function(){}, function(){}); } })(); -
Customize
@matchpattern to the sites you want to bypass - Save the script (Ctrl-S) and make sure it is enabled
- Browse to the site URL and check that the paywall/message is removed!
The script uses a technique called monkey patching to dynamically replace the webkitRequestFileSystem function with a shim that always succeeds. This tricks the Globe‘s detection script into believing we‘re not in incognito mode.
A more robust solution would be to proxy the original function and pass through the success/error callbacks based on actual API support. See this paywall bypass extension for an example.
An alternative is to host your userscript on GitHub as a raw file or via RawGit. You can then include it as a @require in your Tampermonkey script:
// ==UserScript==
// ...
// @require https://rawgit.com/yourusername/bypass-incognito/master/bypass.js
// ...This makes it easy to share your bypass or keep it synced between browsers. Just be careful not to expose any sensitive info in public GitHub repos!
Caveats and precautions
Bypassing a site‘s incognito detection is a cat-and-mouse game. If the site changes their detection method, your bypass script will need to be updated. More sophisticated sites may employ several redundant checks that all need to be intercepted.
Depending on how paywalled content is loaded, you may need to wait for the DOM to populate or refresh the page after modifying the JS environment. Blatantly circumventing metered usage or paid access is also a legal grey area and may violate a site‘s terms of service.
More broadly, incognito mode only prevents your local browser from saving data – it doesn‘t make you anonymous online. Your IP address and other metadata are still exposed to websites and network observers. For real privacy, consider using a trustworthy VPN, Tor, or privacy-centric browsers.
Alternatives to incognito mode
While we can often bypass incognito detection, it‘s an imperfect solution. Every site requires custom research and scripting to outsmart. Some other options for private browsing include:
- Privacy-hardened browsers like Brave and Firefox Focus
- Privacy extensions such as uBlock Origin, Privacy Badger, and ScriptSafe
- Containerized browsing with Firefox Multi-Account Containers or the Chrome-based Contexter
- The Tor network, which conceals your IP address and cookies via multi-hop routing (with a significant performance hit)
The future of incognito detection
As privacy-enhancing technologies like incognito mode have become popular, advertisers and publishers have responded with increasingly invasive tracking methods. In addition to explicit private-browsing detection, some sites employ browser fingerprinting to identify unique users across sessions.
Browser fingerprinting relies on combining multiple signals like your screen size, installed fonts, extensions, and hardware capabilities into a distinctive identifier. Vendors like FingerprintJS provide comprehensive fingerprinting scripts that claim to identify browsers even in incognito mode.
There is an ongoing arms race between fingerprinting and anti-fingerprinting techniques. As browsers add privacy protections, trackers find new methods and heuristics to circumvent them. For example, Apple has proposed a "Privacy Preserving Ad Click Attribution" scheme to reduce third-party tracking while still supporting anonymous ad attribution.
Ultimately, strong privacy online requires a multi-pronged approach including tracker blocking, containerization, traffic anonymization, and prudent browsing habits. As developers, we should strive to build sites and services that are transparent about data collection and respect our visitors‘ privacy preferences.
Conclusion
Blocking visitors who use incognito mode is a increasing trend on news and paywalled content sites. While browsers don‘t provide a direct way to detect private browsing, sites can infer incognito mode through various side-channel techniques.
In this post, we saw how to inspect a site‘s incognito detection logic and spoof it by monkey-patching the relevant browser APIs with a Tampermonkey userscript. This enables bypassing the anti-incognito prompt, but doesn‘t guarantee unfettered access to paid or metered content.
We also discussed some caveats of relying on incognito mode for privacy and alternative tools for private browsing. As the web evolves, the techniques for tracking and anti-tracking will continue to evolve. Understanding how these techniques work is valuable for developers and privacy-conscious users alike.