If I open an incognito window in Google Chrome and go to a webpage where Chrome has a saved username and password from (for example the login form on http://gmail.com), I see that my username and password are automatically filled in.
Does that mean that I am not really incognito? Can the website see my username even if I don't explicitly log in?
Or is there some mechanism behind the scenes that prevents the webpage from grabbing auto-filled values unless I actually log in?
Stored usernames (and passwords) are a lot like cookies: your unique identifier linked to a certain site, stored locally in your browser, available to the site when you open it.
When you go incognito you ask your browser not to identify you to the sites you visit. It does that by (among other things) not exposing its cookies. Exposing the stored username in this mode does not make sense to me (but maybe I'm missing something…).
Update (2014-09-25): it seems recent Chrome versions don't do this anymore.