Detecting if a browser is using Private Browsing mode

Question

I'm building an extranet for a company paranoid about security. They want to make sure that (among other things) their users are browsing the site with the Private Browsing mode switched on in their web browser so that no cookies or history is kept.

I found only this http://jeremiahgrossman.blogspot.com/2009/03/detecting-private-browsing-mode.html and https://serverfault.com/questions/18966/force-safari-to-operate-in-private-mode-and-detect-that-state-from-a-webserver

The ideal solution would use no or minimal javascript. Would attempting to set a unique cookie work for all browsers and platforms? Anyone done this before?

thanks!

update

http://crypto.stanford.edu/~collinj/research/incognito/ uses the CSS visited technique of the browser fingerprinters mentioned by other posters- thanks for the hints.

I like it because it is small and elegant, but still want to be able to do it without javascript if possible.

Lack of javascript support is not a good indication of use of Private Browsing. There are many reasons Javascript could have been disabled not the least of which is the use of NoScript. — Thomas, May 18 '10 at 20:31
@Thomas - that isn't what he's saying. The links describe a method that requires Javascript to check the style of anchors to test whether private mode is on. — erickson, May 18 '10 at 20:40
Are you looking to simply log this information or do you want something to happen as a result of the private-browser-detection? (if so, what?) — James, May 18 '10 at 20:40
@erickson - In addition to trying to check for lack of Javascript, or Javascript being disabled, there is no script you could devise that would safely identify Private Browsing because of script sniffers and blockers such as NoScirpt and the fact that the method by which Private Browsing is implemented is different between browsers. — Thomas, May 18 '10 at 21:01
@J-P: i want to make a message box appear after login that recommends private browsing be turned on (among other things) to help keep the site content secure. — Steve, May 19 '10 at 21:28
Privacy mode is not a security measure. Says so on the box, "Does not change website behavior" — Lee Louviere, Oct 25 '11 at 18:23
Why don't you just tell your pages not to cache (Cache-control header)? — CheckRaise, Oct 25 '11 at 19:23
The best option here is to provide remote session (if you truly are concerned about security). Have a VPN setup which allows remote desktop access (or similar) to a virtual desktop. Solutions are available from all major providers. — Burhan Khalid, Apr 19 '14 at 13:26
Possible duplicate of [Can you determine if Chrome is in incognito mode via a script?](https://stackoverflow.com/questions/2909367/can-you-determine-if-chrome-is-in-incognito-mode-via-a-script) — AlbertoFdzM, Aug 23 '17 at 13:03
Exists a lib to detect browsing mode: https://github.com/Maykonn/js-detect-incognito-private-browsing-paywall/ — Maykonn, Aug 02 '18 at 20:11

Dwayne Charrington · Answer 1 · 2019-11-05T05:35:19.753

62

Update June 2019

Google is removing the ability to detect Private Browsing Mode permanently in Chrome 76 onwards. So, if you're wanting to detect private browsing it's now impossible (unless you find a way to do it that Google hasn't found). The ability to detect private browsing mode has been acknowledged as a bug and was never intended.

To anyone else coming across this question, please note as of 2014, there is no reliable or accurate way to detect if someone is browsing in an incognito/private/safe browsing mode through Javascript or CSS. Previous solutions that once worked like the CSS history hack have since been rendered unusable by all browser vendors.

There should never be a situation where needing to detect private browsing mode on a normal day-to-day website is ever needed. People are choosing to browse anonymously and or not anonymously for their own reasons.

Browsers like Chrome and Firefox do not disable functionality like localStorage any more. They simply namespace it in a temporary location to prevent websites that use it from erroring out. Once you're finished browsing, the namespace is erased and nothing is saved. If you are testing for localStorage support regardless of mode, it will always return true for browsers that support it.

Other means of detecting private mode in Chrome specifically have been completely patched and will no longer work.

If it is required internally by a company, you should develop a browser plugin. Chrome and Firefox, in particular, expose internal API's which allow plugins to check if the user is in private browsing/incognito mode and action accordingly. It cannot be done outside of a plugin.

edited Nov 05 '19 at 05:35

answered Mar 25 '14 at 01:41

Dwayne Charrington

6,278
7
39
62

43

`There should never be a situation where needing to detect private browsing mode ` not strictly true, there are issues with apple: http://stackoverflow.com/questions/21159301/quotaexceedederror-dom-exception-22-an-attempt-was-made-to-add-something-to-st where it would be nice to notify the client it will not work in private mode. – Pogrindis May 12 '15 at 14:47
1

While Chrome and Firefox do support webstorage, the Safari and Android market share is significant enough that this should be a concern. – mattLummus Jul 01 '15 at 14:49
4

Oh, there *are* cases, believe me. WordPress for example stores if you are logged in in a cookie. Those get destroyed when you close the private mode tab or window. In one current case we have the problem that people keep ranting that they have to log in over and over again as the _Safari_ private mode base window does _not_ explain what happens to Cookies. They just think "history is not saved" and believe that this will help keeping their things private. – kaiser Aug 04 '15 at 15:42
26

"There should never be a situation where needing to detect private browsing mode on a normal day-to-day website is ever needed" - Actually, here is one. We are working on a site providing resources for violence against women. As part of that site, we want to educate users who are not browsing in private mode about the fact they need to use private mode to ensure that the site visit is not in their history. I wanted to detect if users are not in private mode and if that's the case provide appropriate instructions on how to clear recent cache and return in private mode. – Professor Falken Jan 25 '16 at 23:06
5

We've had multiple users not realize they were in private browsing mode and thought that there was an issue with our site. I completely disagree with your assumption that there is never a need to detect this. – Graham Sep 11 '17 at 04:33
@dwayne-charrington, that's quite a statement. More and more websites do detect it so obviously there are ways, like this for Chrome: https://stackoverflow.com/a/27805491/4829915 – LWC Oct 01 '18 at 11:03
@LWC Please take note of when this answer was posted, March 25th, 2014. The FileSystem API was and to be honest, still is not very well supported. The answer you link was posted 3 years after my response (a millennia in web years). From what I can see, all solutions to detect incognito mode are still unreliable hacks. Until there is a valid browser API to do this, all solutions are hacks. – Dwayne Charrington Oct 01 '18 at 22:16
1

@dwayne-charrington, the Chrome solution still works, hack or not. In the current era of growing privacy awareness, an official global API to expose people's privacy preferences is unlikely. – LWC Oct 01 '18 at 22:44
There are such cases - for example, we'd like to NOT offer the user saving of some items on site locally (without login) when he's in private mode - because he'll likely not realize that the saved items will disappear. – Tomáš Kafka Nov 22 '18 at 14:01
5

The NY Times is now implementing this verification on their site and requiring you to log in or create an account. Previously (around a week ago) if you reached your "free article" limit you could just load the site in incognito mode and read all you want. I guess they caught on! It also disproves your statement that there is never a use case for detecting private browsing mode. – Matt K Apr 10 '19 at 17:31
2

@professor-falken - it seems that would be information worth putting on the page whether they are in private mode or not? (cf. the cookie popups most sites now have). – Nathan Sep 08 '19 at 11:17
3

I don't know how but the NYT can still detect if I am using private mode. https://imgur.com/a/7z6E388 – Hugo Apr 21 '20 at 20:01
As of May 2021, it seems that it is still possible for sites to detect whether or not Firefox is running in private mode. See https://security.stackexchange.com/questions/9037/can-web-sites-detect-whether-you-are-using-private-browsing-mode/227865#227865. – mti2935 May 01 '21 at 23:18

score 40 · Answer 2 · edited Jan 09 '15 at 16:22

40

Here's an easier way to do detect privacy mode. This works in Safari only. I created it because a web app I am developing uses localStorage. LocalStorage is not available in Safari when in privacy mode, thus my app will not work. On page load, run the script below. It shows an alert box if we cannot use localStorage.

try {
  // try to use localStorage
  localStorage.test = 2;        
} catch (e) {
  // there was an error so...
  alert('You are in Privacy Mode\nPlease deactivate Privacy Mode and then reload the page.');
}

edited Jan 09 '15 at 16:22

OrangeCMS

55
4

answered Jul 19 '13 at 08:44

Jez D

1,431
1
24
49

Maybe also add localStorage.test = null; so it doesn't pollute storage for other browsers? – ChrisWren Mar 07 '16 at 20:38
@PaulAnnekov yes as stated in the answer this only works for Safari browser – Ithar Oct 19 '16 at 12:38
@ChrisWren Each browser has their own localstorage. They don't share it. – Dave White Aug 04 '17 at 17:07
Thanks, that explains how some website detected this. I found it very creepy that a site could figure that out... (N.B. this was in Firefox 55.) – Luc Oct 09 '17 at 20:44
3

This was only possible due to a bug in Safari, which has been fixed as of iOS 11 – proxiblue Aug 08 '18 at 03:43

manniL · Answer 3 · 2020-03-14T12:41:40.863

Current state

Google Chrome has developed further and leaves no more space for detection when using incognito mode. Same might apply for other browsers.

Old solutions (might partially work)

It is possible to detect enabled private browsing modes for the majority of used browsers. This includes Safari, Firefox, IE10, Edge and Google Chrome.

Firefox

When the private browsing mode of Firefox is enabled, the IndexedDB throws an InvalidStateError because it is not available in private browsing mode.

To very if that:

var db = indexedDB.open("test");
db.onerror = function(){/*Firefox PB enabled*/};
db.onsuccess =function(){/*Not enabled*/};

Safari

For Safari, the key is the local storage service. It is disabled in privacy mode. So try to access it and use a try-catch clause. The following method works on both, OSX and iOS devices. Credits for this method are going to this question and answer

var storage = window.sessionStorage;
try {
    storage.setItem("someKeyHere", "test");
    storage.removeItem("someKeyHere");
} catch (e) {
    if (e.code === DOMException.QUOTA_EXCEEDED_ERR && storage.length === 0) {
        //Private here
    }
}

IE10/Edge

Internet Explore is even going to disable the IndexedDB when in privacy mode. So check for existence. But that's not sufficient enough, because older browsers maybe don't even have an IDB. So do another check, e.g. for events that only IE10 and subsequent browser have/trigger. A related question on CodeReview can be found here

if(!window.indexedDB && (window.PointerEvent || window.MSPointerEvent)){
 //Privacy Mode
}

Chrome

Update: This doesn't work since Chrome 76 (thanks to @jLynx)

Chromes Incognito mode can be verified by the file system. A great explanation can be found here on SO

var fs = window.RequestFileSystem || window.webkitRequestFileSystem;
if (!fs) {
    console.log("FS check failed..");
    return;
}

fs(window.TEMPORARY, 100, function (fs) {}, function (err) {
//Incognito mode
});

Safari didn't work for me anymore (11.1.2) but the referenced SO question got a new answer, which works for me: https://stackoverflow.com/a/47642304/333864 — Riesling, Aug 28 '18 at 11:50
The New York Times site can detect Chrome 80 running in incognito mode, so there's something else besides this. — Scott Martin, Mar 12 '20 at 15:54
Vanity Fair detects both Chrome Incognito and Firefox Privacy modes. You have pick an article and the start scrolling, a few seconds later it will pop up a "you're in privacy mode, stop it" msg. — gman, May 04 '20 at 06:04
The Edge check is no longer valid as window.indexedDB exists in private mode also now. — Jacques Ramsden, Mar 11 '21 at 14:01

Endless · Answer 4 · 2020-12-09T16:43:03.470

Chrome 83 arrives with redesigned security settings, third-party cookies blocked in Incognito by default!

So this one is easy, create a iframe to a third party site, have it send a postMessage back notifying you if navigator.cookieEnabled is true or false. Ofc users have the option to disable third party cookie as well. So i tested and disabled 3th party cookies in the settings. But it still said cookie was enabled on third-party iframes using navigator.cookieEnabled. it only became disabled once i used Incognito - perhaps a bug?

new Promise((rs, rj, m = new MessageChannel(), d = document, i = d.createElement('iframe')) => {
  i.src = 'https://httpbin.org/base64/PHNjcmlwdD5vbm1lc3NhZ2UgPSBlID0+IGUuZGF0YS5wb3N0TWVzc2FnZShuYXZpZ2F0b3IuY29va2llRW5hYmxlZCk8L3NjcmlwdD4='
  i.onload = _ => i.contentWindow.postMessage(m.port1, '*', [m.port1], m.port2.onmessage = e => i.remove(rs(e.data)))
  i.hidden = 1
  d.body.append(i)
}).then(thirdPartyCookieEabled => 
  console.log('Third party cookie enabled:', thirdPartyCookieEabled)
)

You could also probably do it using only js + ajax but didn't want to set up a 2 servers to test it myself. but for this SameSite=none have to be set as well.

res = await fetch('https://httpbin.org/cookies/set?enabled=1', {
  credentials: 'include' 
})
json = await res.json()
console.log(!!json.cookies.enabled)

Here is my take on detecting private mode

function detectPrivateMode(cb) {
    var db,
    on = cb.bind(null, true),
    off = cb.bind(null, false)

    function tryls() {
        try {
            localStorage.length ? off() : (localStorage.x = 1, localStorage.removeItem("x"), off());
        } catch (e) {
            // Safari only enables cookie in private mode
            // if cookie is disabled then all client side storage is disabled
            // if all client side storage is disabled, then there is no point
            // in using private mode
            navigator.cookieEnabled ? on() : off();
        }
    }

    // Blink (chrome & opera)
    window.webkitRequestFileSystem ? webkitRequestFileSystem(0, 0, off, on)
    // FF
    : "MozAppearance" in document.documentElement.style ? (db = indexedDB.open("test"), db.onerror = on, db.onsuccess = off)
    // Safari
    : /constructor/i.test(window.HTMLElement) || window.safari ? tryls()
    // IE10+ & edge
    : !window.indexedDB && (window.PointerEvent || window.MSPointerEvent) ? on()
    // Rest
    : off()
}

detectPrivateMode(function (isPrivateMode) {
    console.log('is private mode: ' + isPrivateMode)
})

edit found a modern, faster, synkronas way to try it in firefox (they don't have service workers in privat mode) similar to ie don't include indexedDB but the test only works in secure sites

: "MozAppearance" in document.documentElement.style ? navigator.serviceWorker ? off() : on()

Note: Promises aren't natively supported in IE10 or 11. I'd assume you used a polyfill here? http://caniuse.com/#search=promise — Kevin Dice, Aug 11 '16 at 17:51
Exists a lib to detect browsing mode: https://github.com/Maykonn/js-detect-incognito-private-browsing-paywall/ — Maykonn, Aug 02 '18 at 20:12
@Endless Is there any alternative url instead of "https://httpbin.org/base64/PHNjcmlwdD5vbm1lc3NhZ2UgPSBlID0+IGUuZGF0YS5wb3N0TWVzc2FnZShuYXZpZ2F0b3IuY29va2llRW5hYmxlZCk8L3NjcmlwdD4=" — Sunit Kumar Samanta, Mar 22 '22 at 08:13

Matt S · Answer 5 · 2017-07-31T16:53:41.647

14

There's no way for your web page to know, absolutely for sure, that the user is in private browsing mode. Any attempts to check for various browser features will need to change often as security implementations are updated. It may work for some time in some browsers, but not all.

If the company is that concerned about security, I'd suggest rolling your own Firefox or Chromium distribution with locked down privacy settings, and only allowing that custom client to connect to the extranet.

edited Jul 31 '17 at 16:53

answered May 18 '10 at 20:38

Matt S

14,406
4
52
75

2

What supporting evidence? The "fingerprint" that doesn't tell you if private browsing is on? The company is "paranoid about security", so relying on so-called fingerprints isn't sufficient. – Matt S May 18 '10 at 23:18
hmmm... my own cross platform FF distribution? Thats a bit much effort... Are you aware of an 80% solution? (eg 80% of the time we can guess if the user is in private browsing mode). I'm looking to combine a number of security recommendations to the visitor: using private browsing is one of them. As others have suggested, not all visitors will be willing to do that, and maybe 1/4 of them will be in "safe" locations and will not need to. – Steve May 19 '10 at 21:25
1

A recommendation need not know if the user is implementing the suggestion. – Lee Louviere Oct 25 '11 at 16:21
-1 The OP said this is not a solution "10% of my users will be logging in via very flaky 24k dial up lines and only have electricity for a couple of hours a day if they are lucky" – Lee Louviere Oct 25 '11 at 18:17

score 7 · Answer 6 · answered Mar 18 '19 at 23:56

7

I have built a little library that will work on all major platforms and browsers that I have tested: https://github.com/jLynx/PrivateWindowCheck

You can simply call

isPrivateWindow(function(is_private) {
    if(is_private)
        alert('Private');
    else
        alert('Not Private');
});

answered Mar 18 '19 at 23:56

jLynx

1,042
3
19
34

I have no idea why someone down rated you? Here's another: .... https://gist.github.com/jherax/a81c8c132d09cc354a0e2cb911841ff1 – user10216038 Jun 12 '19 at 20:02
I guess that this script was written before Chrome 76 and that it no longer works for Chrome? – Lii Apr 28 '20 at 21:47
1

The naming of the method looks wrong. It should be `alertIfPrivateWindow` because the function is alert()ing. Using the `is` prefix suggests a boolean is returned; which is false here. – SandRock Nov 04 '20 at 12:46
@SandRock in this example it alerts regardless on weather its private or not. So the suggested name change here doesn't quite make sense – jLynx Nov 04 '20 at 21:01

score 4 · Answer 7 · answered Jul 12 '17 at 09:49

4

The localStorage trick is a bug which has been fixed, and it doesn't work anymore in Safari 11.0.

There is an interesting alternative that works in Safari, Opera and Internet Explorer (not Chrome): those browser send a DNT: 1 header (Do Not Track).

It's not 100% reliable because this header can be enabled for normal browsing (it's disabled by default), but it can help to identify privacy-conscious users.

answered Jul 12 '17 at 09:49

Julien

9,112
9
61
86

DNT is broken in the latest beta version of Safari 11. It's not longer exposed to JavaScript, only via the HTTP header. – Etienne Martin Aug 08 '17 at 19:11

score 3 · Answer 8 · answered May 19 '10 at 11:21

3

Web browsers behave differently when privacy mode is activated.

On many browsers the caching of resources is limited. It is possible to detect where a browser has been based on their CSS cache. Its possible to conduct this this attack without JavaScript.

The EFF is working on a project to fingerprint browsers. Parts of the browsers fingerprint will be different when privacy mode is activated. Go ahead, try it.

answered May 19 '10 at 11:21

rook

64,668
37
156
236

1

Thanks for the interesting links. I had a go but all it does is change the fingerprint. If I've done my job right I'll not be able to tell if a visitor has come before with a different fingerprint and therefore be able to detect private browsing? – Steve May 19 '10 at 21:36
@Steve Although I haven't done much digging, I suspect that there is a part of the fingerprint that is always abnormal when private browsing is enabled. But this is highly browser specific. – rook May 19 '10 at 21:41
1

Interesting read. The "try it" link is broken at the moment. :( – Mrchief Feb 01 '16 at 19:01

score 3 · Answer 9 · answered Apr 27 '16 at 19:39

I agree with DigitalSeas's sentiment that we should generally not try to detect if the user is in a "private browsing" mode. However, I recently discovered that FireFox now subscribes to a service called "disconnect.me", which provides the url blacklist they use in their "tracking protection" feature. Since disconnect.me blacklists certain social networks (e.g. Facebook's facebook.net), we found that their SDKs would not load in FireFox. Therefore, it seems reasonable that we could try and detect private browsing mode in order to provide a more useful and precise error message to our users.

With that justification out of the way, this gist claims to provide detection for private browsing in major browsers using tricks specific to those browsers. At the time of this writing (the gist may have been updated by the time you read this) the detection logic is as follows:

function retry(isDone, next) {
    var current_trial = 0, max_retry = 50, interval = 10, is_timeout = false;
    var id = window.setInterval(
        function() {
            if (isDone()) {
                window.clearInterval(id);
                next(is_timeout);
            }
            if (current_trial++ > max_retry) {
                window.clearInterval(id);
                is_timeout = true;
                next(is_timeout);
            }
        },
        10
    );
}

function isIE10OrLater(user_agent) {
    var ua = user_agent.toLowerCase();
    if (ua.indexOf('msie') === 0 && ua.indexOf('trident') === 0) {
        return false;
    }
    var match = /(?:msie|rv:)\s?([\d\.]+)/.exec(ua);
    if (match && parseInt(match[1], 10) >= 10) {
        return true;
    }
    return false;
}

function detectPrivateMode(callback) {
    var is_private;

    if (window.webkitRequestFileSystem) {
        window.webkitRequestFileSystem(
            window.TEMPORARY, 1,
            function() {
                is_private = false;
            },
            function(e) {
                console.log(e);
                is_private = true;
            }
        );
    } else if (window.indexedDB && /Firefox/.test(window.navigator.userAgent)) {
        var db;
        try {
            db = window.indexedDB.open('test');
        } catch(e) {
            is_private = true;
        }

        if (typeof is_private === 'undefined') {
            retry(
                function isDone() {
                    return db.readyState === 'done' ? true : false;
                },
                function next(is_timeout) {
                    if (!is_timeout) {
                        is_private = db.result ? false : true;
                    }
                }
            );
        }
    } else if (isIE10OrLater(window.navigator.userAgent)) {
        is_private = false;
        try {
            if (!window.indexedDB) {
                is_private = true;
            }                 
        } catch (e) {
            is_private = true;
        }
    } else if (window.localStorage && /Safari/.test(window.navigator.userAgent)) {
        try {
            window.localStorage.setItem('test', 1);
        } catch(e) {
            is_private = true;
        }

        if (typeof is_private === 'undefined') {
            is_private = false;
            window.localStorage.removeItem('test');
        }
    }

    retry(
        function isDone() {
            return typeof is_private !== 'undefined' ? true : false;
        },
        function next(is_timeout) {
            callback(is_private);
        }
    );
}

Lee Louviere · Answer 10 · 2011-10-25T18:24:59.733

3

You're not going to block them if they don't have private browsing enabled.

Why have a smart message box at all?

Would attempting to set a unique cookie work for all browsers and platforms? Anyone done this before?

I think the most elegant solution would be to:

Perform a security leak test
If security leak test reveals issue
- Tell user to check settings
- Suggest privacy mode

Because as you said, not everyone can or needs to enable privacy mode.

edited Oct 25 '11 at 18:24

answered Oct 25 '11 at 16:26

Lee Louviere

5,104
29
54

1

how would you do a security leak test? – Steve Oct 25 '11 at 23:07
Attempt to do things that you're trying to secure against. If you don't want cookies, attempt to make one. – Lee Louviere Oct 27 '11 at 13:45

score 2 · Answer 11 · answered Mar 24 '20 at 14:34

Browser makers are actively patching browser bugs that let sites identify private mode. Some bugs remain, but code to detect them is unlikely to be worth writing as the plan is it won't work for long.

The reason why browser makers are fixing these bugs is that sites like news publishers are using the bugs to identify private-mode users and refuse to serve them. The news publishers who want to do this tend to be using "metered paywalls", which let each browser view a certain number of free articles per day (or per week or whatever) and then start charging: since private-mode effectively resets the meter, the publishers don't want you to use private mode. But restricting private mode also restricts people who want to use it for other reasons, e.g. a domestic-abuse victim not wanting to keep history on a browser shared with their abuser, or someone not wanting their current activity to affect what advertisements they see in future, or some other reason. Although news sites that restrict private mode do tend to permit it if you log in, it's rather obvious that logging in lets them track you, so if you're trying to avoid being tracked then logging-in doesn't seem like an acceptable solution, hence browser makers want publishers not to be able to detect private mode.

There is another way of not keeping history: use a browser that lets you selectively clear it afterwards. Chrome for example can clear cookies, cache and history associated with specific domains, or for a specified period of time such as "for the last hour". That way you don't need private or incognito mode: you can get the same effect by browsing in normal mode and then erasing the traces. But you have to know how to do it, plus you must remember to do it, so it's a more troublesome approach than is using private mode. Still, I expect some people are using this as a workaround if their browser still has a bug that lets sites detect when they're in private mode and deny them service.

If you as a website author have a reason for not wanting your website to be stored in cache or history, for example if the site is meant to help domestic-abuse victims, then "how to detect private mode" might be the wrong question, as what you really want is "don't store this stuff in history, whether private mode is in use or not". Chris Coyier on css-tricks.com noted that window.location.replace() does not create a history item and techniques like this could be used to construct a site that at least doesn't leave its individual pages in history (at least not when browsed with Javascript switched on), but the referring page—possibly a dangerous-to-have search-result page—would still be in history, as would the final page they were on if they don't properly "sign out" of the site. (Intermediate pages might also be discernible via cache forensics, but anyone who can do that can probably also record the traffic as it happens, so we just have to hope the abuser is not that clever.) Another possible approach might be to create an innocent-looking cookie that stores the timestamp of the page's first load, and replace its content with something else if the current time exceeds that timestamp by too long, although its URL may still be loadable on another device or by clearing cookies (unless it was also session-dependent). But getting rid of the referring page is still going to be an issue, and as it's not always possible to confirm the user is in private mode, the best policy is probably to take steps to educate them about private mode anyway.

If you check their User-Agent, you can show them what both private mode and non private mode look like on their browser and OS, ask them to confirm which of the two matches their current window right now, and caution them if they choose the non private mode appearance. This won't work for browser and OS combinations you didn't test (but then neither will bug-based detection), and it assumes the user cares about their security enough to take the question seriously—but if they don't, the battle is probably already lost anyway.

This one is the best answer I have ever read in this thread. — Gunnar Vestergaard, Sep 25 '20 at 19:44

score 1 · Answer 12 · answered Jul 17 '13 at 23:34

I've solved this issue by using two HTML pages. The main page define a status variable and set a cookie. The second page is opened in a new window (not tab), read the cookie and set status to the cookie value. Under MSIE, the cookie value is passed to the child page when the main page in normal mode. When in InPrivate Browsing mode, the cookie value is not passed to the child page (but is passed if you open a new tab).

The main.html page:

<script>     
var myCookie="nocookie";
document.cookie="checkInPrivate=1";
var h=window.open("child.html", "_blank", "left=9999,height=200,width=200");
setTimeout(function() {
    var status=null;
    if (myCookie=="nocookie") {
        status="unable to determine if we are InPrivate Browsing mode (child page did not set the cookie)";
    } else if (myCookie.indexOf("checkInPrivate")>=0) {
        status="not in InPrivate Browsing mode (child page did set the cookie)";
    } else {
        status="in InPrivate Browsing mode (child page set the cookie value but it was not provided)";
    }
    alert(status);
}, 200);
</script>

The child.html page:

Detecting MSIE's InPrivate Browsing mode...
<script>
window.opener.myCookie=document.cookie;
window.close();
</script>

I'm using InPrivate Browsing mode in order to prevent Browser Helper Objects (BHO) and browser extensions to be enabled, since BHO are most often malwares which can modify the web pages even if HTTPS and strong authentication are used. Internet Explorer 9 has a "Disable toolbars and extensions when InPrivate Browsing starts" in its "Privacy" settings.

However, this is not the ultimate way to prevent malicious browser extension: a malicious extension may change the main page behavior to make it think that the myCookie value has not been set and. We would wrongly assume that we are in InPrivate Browsing mode.

Note that I need cookies for my application so I do not use InPrivate Browsing for that purpose.

score 1 · Answer 13 · answered May 18 '10 at 20:39

Well, you wouldn't really distinguish private mode from "block all cookies" in that way, but apart from that rare situation I guess it should work.

The big problem IMO, is that this is a very very bad site design, not better than the good ol' "you need browser xxx to see this website" that was common in the '90s. Not all browser have a Private Browsing mode (as much as I despise IE, your cutting out IE7 users for instance) and those users won't be able to access your site at all.

Also, when I'm on the Internet I often have several tabs open with multiple website. It would be really annoying for me to have to switch to private mode just to see that website and not being able to access the other sites at the same time.

One thing you could do would be designing the site using sessions instead of cookies, so they won't be stored (as you don't use them...). And as for the history... really, what's the problem with that?

Or put the whole site behind a password protected, encrypted connection with caching aggressively disabled. — Marcel Korpel, May 18 '10 at 22:30
@The Rook: nah: its pretty interesting. There are some bizarre technical challenges like requiring all users to go via https but knowing that some countries block ssl connections, or knowing that 10% of my users will be logging in via very flaky 24k dial up lines and only have electricity for a couple of hours a day if they are lucky... — Steve, May 19 '10 at 21:21

score 1 · Answer 14 · answered Oct 04 '16 at 22:48

Write code to achieve following

1) In firefox test browser version. This method works with version >= 33.0 ( supports service workers ). Cannot use this method with old ( < 33.0 ) versions.

2) Try to set service worker. 3) If you can set,use or access a service worker you are 1000% not in private browsing mode as service workers cannot be interacted with on Firefox private browsing mode. I wish that they could be.

Quote:

"In Firefox, Service Worker APIs are hidden and cannot be used when the user is in private browsing mode"

https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API/Using_Service_Workers

score 0 · Answer 15 · answered Mar 08 '17 at 01:19

Not sure if its cause this question is old but Firefox does provide documentation on how to detect private browsing mode. However it involves using an import of theirs DXR PrivateBrowsingUtils:

try {
      // Firefox 20+
      Components.utils.import("resource://gre/modules/PrivateBrowsingUtils.jsm");
      if (!PrivateBrowsingUtils.isWindowPrivate(window)) {
        ...
      }
    } catch(e) {
      // pre Firefox 20 (if you do not have access to a doc. 
      // might use doc.hasAttribute("privatebrowsingmode") then instead)
      try {
        var inPrivateBrowsing = Components.classes["@mozilla.org/privatebrowsing;1"].
                                getService(Components.interfaces.nsIPrivateBrowsingService).
                                privateBrowsingEnabled;
        if (!inPrivateBrowsing) {
          ...
        }
      } catch(e) {
        Components.utils.reportError(e);
        return;
      }
    }

This is deprecated and not working in current version of firefox @Endless Answer seems the one working for me in latest Firefox and Chrome versions — Mahmoud Mostafa, Apr 24 '17 at 11:51

score 0 · Answer 16 · answered Mar 24 '19 at 13:37

While creating my Safari extension, I found out that it was possible to query the boolean safari.self.browserWindow.activeTab.private. Below worked for me to check whether the browser was open in Private or not but only from the extension.

isPrivate = false;
try {
isPrivate = safari.self.browserWindow.activeTab.private;
} catch (_) {
isPrivate = true;
}
if (isPrivate === true){
console.log("Private window.");}
else {
console.log("Not private window.");}

Source: developer.apple.com | Instance Property private

score 0 · Answer 17 · answered Apr 02 '19 at 19:00

function isPrivate(callback) {
  callback || (callback = function(){});
  var fs = window.RequestFileSystem || window.webkitRequestFileSystem;

  if(fs){
    return fs(window.TEMPORARY, 1, callback.bind(this, false), callback.bind(this, true));
  }

  if(window.indexedDB && /Firefox/.test(window.navigator.userAgent)){
    try {
      var db       = window.indexedDB.open('test');
      var tryes    = 0;
      var interval = limit = 10;

      var wait = function(check){
        if(tryes >= limit){ return callback(true); } // Give up
        return window.setTimeout(check, ++tryes * interval);
      }

      var evaluate = function(){
        return db.readyState === 'done' ? callback(!db.result) : wait(evaluate);
      }

      return wait(evaluate);
    } catch (e) {
      return callback(true);
    }
  }

  if (!!window.navigator.userAgent.match(/(MSIE|Trident|Edge)/)){
    try {
      return callback(!window.indexedDB);
    } catch (e) {
      return callback(true);
    }
  }

  try {
    window.openDatabase(null, null, null, null);
    return callback(false);
  } catch (e) {
    return callback(true);
  }
}

isPrivate( function(isPrivate) {
  console.log('Private mode ===>', isPrivate);
});

score 0 · Answer 18 · answered Dec 31 '19 at 05:08

You can find this gist to detect private browsing

var hasStorage = function() {
      var mod,
        result;
      try {
        mod = new Date;
        localStorage.setItem(mod, mod.toString());
        result = localStorage.getItem(mod) === mod.toString();
        localStorage.removeItem(mod);
        return result;
      } catch (_error) {
        return false;
      }
    },
    hasCookies = function() {
      var cookieEnabled = navigator.cookieEnabled ? true : false;

      if (typeof navigator.cookieEnabled == 'undefined' && !cookieEnabled) {
        document.cookie = 'testcookie';
        cookieEnabled = (document.cookie.indexOf('testcookie') != -1) ? true : false;
      }
      return cookieEnabled;
    };

  if (!hasStorage()) {
    document.getElementById('apple_storage').style.display = 'block';
  } else if (!hasCookies()) {
    document.getElementById('no_cookie').style.display = 'block';
  }

<!-- ERROR FOR BLOCKED LOCAL STORAGE -->
<div id="apple_storage" style="display:none;">
    <div class="modal-new alerts">
        <h2>Attenion</h2>
        <a href="" class="close" onclick="document.getElementById('apple_storage').style.display = 'none';">Close</a>
        <div class="body">
            <p>
                Dear customer, to ensure proper use of the site it is necessary to abandon the
                private browsing.
            </p>
        </div><!-- /.body -->
    </div>
</div>

<!-- ERROR FOR BLOCKED COOKIES -->
<div id="no_cookie" style="display:none;">
    <div class="modal-new alerts">
        <h2>Attenion</h2>
        <a href="" class="close" onclick="document.getElementById('no_cookie').style.display = 'none';">Close</a>
        <div class="body">
            <p>
                Dear customer, to ensure proper use of the site it is necessary to enable cookies.
            </p>
        </div><!-- /.body -->
    </div>
</div>

score 0 · Answer 19 · answered Oct 22 '21 at 14:46

Many seem to believe that detecting incognito/private mode is no longer possible, and I can assure you that's definitely not true. I have been unable to find any publicly available code that works on 100% of browsers, so I made my own.

As of October 2021 my code is able to detect private browsing modes on Safari 15 (macOS & iOS), Chrome 93, Edge 93, Firefox 93, Internet Explorer 10+, as well as Brave.

I should also note that detecting incognito has legitimate, non-paywall related uses, of which I am using as part of a larger private project. For example, fraudsters often use incognito when conducting credit card fraud. While alone someone filling in a checkout form in incognito doesn't immediately scream fraud, paired with other data points (such as the user using a VPN as well), I would be wary of accepting such an order.

Sites that block access based on whether one is in incognito suck, but I pin that down more to bad site design.

Shameless plug: https://github.com/Joe12387/detectIncognito

I also have a demo available: https://detectincognito.com/

I hope this is helpful.