According to multiple documents seen by Windows Latest, Google is testing a new feature called “Script blocking in Incognito” (PrivacySandboxFingerprintingProtectionEnabled). It could make the existing incognito mode in Chrome more private on Windows. Once the feature is rolled out, Chrome will block third-party scripts that use known fingerprinting tricks to re-identify you across sites.
If you use Google Chrome and open incognito, you might notice a disclaimer that warns incognito mode lets you browse privately, but it’s not a foolproof approach because the sites that you visit can still see your browser and other details.
While it’s nearly impossible to build a truly private incognito experience without routing your traffic, Google is testing a real Incognito upgrade called “Script Blocking in Incognito.”
How does Google’s script blocking in incognito work against third-party scripts trying to track you?
In a document spotted by Windows Latest, Google noted that it wants to target the misuse of web APIs to read extra details about your device or browser.
Right now, Google’s implementation will not block all malicious script domains. Instead, only domains on the Marked Domain List (MDL) will be flagged as “Impacted by Script Blocking.” And the domains are flagged only when they try to run as third-party and extract data when they’re not supposed to.
To block third-party scripts that try to know more about you, Google proposed a small change to the Fetch spec that gives browsers a standard “hook” to block or “shim” requests after normal checks like CSP and mixed content. In other words, it looks like Google tries to identify when a bad actor is trying to exploit an existing standard web API to know more about you.
In our tests, Windows Latest spotted that Google’s idea is very clear, as it tries to identify third-party scripts that use APIs, such as canvas, WebGL, fonts, and audio, to re-identify users. But is that something that could really affect an end user like me and you? Let us say you’re browsing a domain that tells you about restaurants near you.
While the domain itself is not suspicious, it has a third-party script that could use tricks like canvas, WebGL, and font checks, and then send a unique ID. Later, a shop using the same script matches that ID and targets you with ads, even without cookies.
Google’s Script Blocking in Incognito stops that script from loading, so the ID never forms.
Firefox, Edge, and Safari already try to block tracking to some extent
Google isn’t the only company working on these privacy protections. For example, Safari comes with a feature called ITP (Intelligent Tracking Prevention), which tries to block third-party cookies (aka trackers) to improve your privacy. On the other hand, Firefox has a similar protection called Enhanced Tracking Protection (ETP).
Microsoft Edge also comes with a Tracking Prevention feature.
While Firefox and Safari outright block web scripts designed to track you in regular browsing, Chrome’s idea is still less aggressive as it is list-based and limited to just Incognito.
Google noted that the feature would roll out to Chrome’s incognito mode only, and the company has no plan to enforce it across all Chromium browsers.
If you’re protected by Chrome’s new Incognito mode (script is blocked), you’ll see an “eye” icon in the address bar. You can disable the protection for that top-level site. Also, there’s a settings toggle to disable the feature entirely because some sites may not work in incognito when they rely on blocked third-party scripts.
