Does incognito/private browsing prevent XSS attacks?

2018-10-21 22:46:03

When starting an incognito/private browsing session, no cookies from other browsing profiles should exist. For example, if I am logged in to a site on my main browsing profile, then start a new private browsing session, I am not logged into that same site (cookies not carried over). Assuming it is a new private browsing session, there should not be any existing cookies or sensitive information that is available at all.

Does this also have the side effect of preventing or nullifying XSS attacks since there is no sensitive data to steal? Or this is a false sense of security?

An XSS attack is not primarily about cookies. It is not about stealing sensitive data either. It is instead about executing attacker-controlled code on the client side within the context of the site you visit. What kind of harm can be done by this code depends on the actual site and context.

Using a private browsing session will not prevent XSS by itself but it might limit the impact of what ha

  • An XSS attack is not primarily about cookies. It is not about stealing sensitive data either. It is instead about executing attacker-controlled code on the client side within the context of the site you visit. What kind of harm can be done by this code depends on the actual site and context.

    Using a private browsing session will not prevent XSS by itself but it might limit the impact of what harm XSS can do - i.e. it has no access to the cookies or other stored data from the non-private browser session. It might though still do harm, but again this depends on the specific context and site you visit.

    2018-10-21 23:39:19