Intent to Ship: IP Protection in Incognito using published Masked Domain list

460 views
Skip to first unread message

Zainab Rizvi

unread,
Jul 14, 2025, 11:54:50 AMJul 14
to blink-dev, Mike Taylor, James Bradley

Contact emails

mike...@chromium.orgjhbr...@google.comriz...@google.com

Explainer

https://github.com/GoogleChrome/ip-protection/blob/main/README.md

Specification

None. While Apple does ship a similar feature, we believe that we need the experience that comes with shipping before attempting standardization or alignment of architectures. See the relevant discussion in the TAG review.


Summary

IP Protection is a feature that limits availability of a user’s original IP address in third party contexts in Incognito mode, enhancing Incognito's protections against cross-site tracking when users choose to browse in this mode.


IP addresses are essential to the basic functioning of the web, notably for routing traffic and to prevent fraud and spam. However, like third-party cookies, they can also be used for tracking. For Chrome users who choose to browse in Incognito mode, we wanted to provide additional control over their IP address, without breaking essential web functionality.


To strike this balance between protection and usability, this proposal focuses on limiting the use of IP addresses in a third-party context in Incognito Mode. To that end, this proposal uses a list-based approach, where only domains on the Masked Domain List (MDL) in a third-party context will be impacted.


1% Experiment Summary

Our 1% stable Incognito experiment did not show any statistically significant movement for Core Web Vitals or increase in crashes on both Desktop and Android platforms. 


As the feature is only enabled for a subset of traffic (domains on the Masked Domain List) for Incognito sessions, the sample size is smaller than we typically observe in a 1% experiment. We plan to carefully ramp the experiment to evaluate performance and stability impact before launching to Incognito 100%.


Blink component

Internals>Network>Proxy


TAG review

https://github.com/w3ctag/design-reviews/issues/1083 


TAG review status

Closed (resolution: decline)


Risks



Interoperability and Compatibility

There shouldn’t be any interop concerns, as we’re routing certain traffic through a series of proxies.


In terms of compatibility, there are a few possible risks, namely assigning the incorrect geo on egress. However, this would be considered a bug in our services (to be fixed server side when discovered), not a consequence of the feature itself. Another risk might be that these IP ranges aren’t recognized and certain traffic is incorrectly blocked or a user loses access to a resource. We have published our geofeed as one mitigation for this risk.


Gecko: No signal


WebKit: Shipped/Shipping Safari has a similar feature called iCloud Private Relay.


Web developers: Mixed signals There are some different views in the various open and closed issues at https://github.com/GoogleChrome/ip-protection/issues. They range from neutral (questions about user choice, impact on anti-fraud/anti-abuse use cases, etc.) to negative (questions around the ability to trust the system).


Other signals:


WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

We display which requests are proxied in the DevTools Network panel (when IP Protection is enabled). Proxied requests can also be debugged via netlogs. 


We also have chrome://flags/#ip-protection-proxy-opt-out which developers or users can use for testing suspected breakage. 


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

No

We plan to launch this on all Blink platforms except WebView.


Is this feature fully tested by web-platform-tests?

No, and there isn’t any API to be tested. So we don’t plan to add any.


Flag name on about://flags

None


Finch feature name

EnableIpPrivacyProxy


Rollout plan

(RARE) Experiment users ramp up over time


Requires code in //chrome?

False


Tracking bug

https://issues.chromium.org/issues/370696608


Launch bug

https://launch.corp.google.com/launch/4403761


Estimated milestones

Shipping on desktop

140

Shipping on Android

140


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

None


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/6574194264899584


Links to previous Intent discussions

Intent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/9s8ojrooa_Q/m/I6Rj5UTZBgAJ

https://groups.google.com/a/chromium.org/g/blink-dev/c/gBL-Nce3g9c?e=48417069 



Alex Russell

unread,
Jul 14, 2025, 2:18:33 PMJul 14
to blink-dev, riz...@google.com, Mike Taylor, James Bradley
This is exciting work, and I'm inclined to LGTM. There are some reviews that need to be kicked off within the tool for us to be able to move forward; let us know if you need help.

On the meat of the work, are you going to be launching this feature with any other Chromium browsers, either with Google as a proxy or using the same code paths with alternate proxies? And do you envision that users will be able to pick their proxy?

Best,

Alex

On Monday, July 14, 2025 at 8:54:50 AM UTC-7 riz...@google.com wrote:

Zainab Rizvi

unread,
Jul 14, 2025, 4:08:39 PMJul 14
to Alex Russell, blink-dev, Mike Taylor, James Bradley
Thanks, Alex, I've updated the review bits in the tool. 

We are currently targeting this work for Chrome's Incognito mode only. Users will not be able to pick their proxy, but they will be able to turn off the feature. 

On Mon, Jul 14, 2025 at 2:18 PM Alex Russell <sligh...@chromium.org> wrote:
This is exciting work, and I'm inclined to LGTM. There are some reviews that need to be kicked off within the tool for us to be able to move forward; let us know if you need help.

On the meat of the work, are you going to be launching this feature with any other Chromium browsers, either with Google as a proxy or using the same code paths with alternate proxies? And do you envision that users will be able to pick their proxy?

Best,

Alex

On Monday, July 14, 2025 at 8:54:50 AM UTC-7 riz...@google.com wrote:

Alex Russell

unread,
Jul 16, 2025, 11:17:55 AMJul 16
to blink-dev, riz...@google.com, blink-dev, Mike Taylor, James Bradley, Alex Russell
Thanks. What's the story for non-Google browsers?

On Monday, July 14, 2025 at 1:08:39 PM UTC-7 riz...@google.com wrote:
Thanks, Alex, I've updated the review bits in the tool. 

We are currently targeting this work for Chrome's Incognito mode only. Users will not be able to pick their proxy, but they will be able to turn off the feature. 

On Mon, Jul 14, 2025 at 2:18 PM Alex Russell <sligh...@chromium.org> wrote:
This is exciting work, and I'm inclined to LGTM. There are some reviews that need to be kicked off within the tool for us to be able to move forward; let us know if you need help.

On the meat of the work, are you going to be launching this feature with any other Chromium browsers, either with Google as a proxy or using the same code paths with alternate proxies? And do you envision that users will be able to pick their proxy?

Best,

Alex

On Monday, July 14, 2025 at 8:54:50 AM UTC-7 riz...@google.com wrote:

Chris Harrelson

unread,
Jul 16, 2025, 11:28:24 AMJul 16
to Alex Russell, blink-dev, riz...@google.com, Mike Taylor, James Bradley
LGTM1

On Wed, Jul 16, 2025 at 8:18 AM Alex Russell <sligh...@chromium.org> wrote:
Thanks. What's the story for non-Google browsers?

On Monday, July 14, 2025 at 1:08:39 PM UTC-7 riz...@google.com wrote:
Thanks, Alex, I've updated the review bits in the tool. 

We are currently targeting this work for Chrome's Incognito mode only. Users will not be able to pick their proxy, but they will be able to turn off the feature. 

On Mon, Jul 14, 2025 at 2:18 PM Alex Russell <sligh...@chromium.org> wrote:
This is exciting work, and I'm inclined to LGTM. There are some reviews that need to be kicked off within the tool for us to be able to move forward; let us know if you need help.

On the meat of the work, are you going to be launching this feature with any other Chromium browsers, either with Google as a proxy or using the same code paths with alternate proxies? And do you envision that users will be able to pick their proxy?

Best,

Alex

On Monday, July 14, 2025 at 8:54:50 AM UTC-7 riz...@google.com wrote:

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c3e9c4c4-7530-4c95-9749-24f646535024n%40chromium.org.

Alex Russell

unread,
Jul 16, 2025, 11:29:20 AMJul 16
to blink-dev, Chris Harrelson, blink-dev, riz...@google.com, Mike Taylor, James Bradley, Alex Russell, Mike Taylor
Mike Taylor was kind enough to answer all my questions regarding non-Google browsers in today's API OWNERS meeting. LGTM2.

On Wednesday, July 16, 2025 at 8:28:24 AM UTC-7 Chris Harrelson wrote:
LGTM1

On Wed, Jul 16, 2025 at 8:18 AM Alex Russell <sligh...@chromium.org> wrote:
Thanks. What's the story for non-Google browsers?

On Monday, July 14, 2025 at 1:08:39 PM UTC-7 riz...@google.com wrote:
Thanks, Alex, I've updated the review bits in the tool. 

We are currently targeting this work for Chrome's Incognito mode only. Users will not be able to pick their proxy, but they will be able to turn off the feature. 

On Mon, Jul 14, 2025 at 2:18 PM Alex Russell <sligh...@chromium.org> wrote:
This is exciting work, and I'm inclined to LGTM. There are some reviews that need to be kicked off within the tool for us to be able to move forward; let us know if you need help.

On the meat of the work, are you going to be launching this feature with any other Chromium browsers, either with Google as a proxy or using the same code paths with alternate proxies? And do you envision that users will be able to pick their proxy?

Best,

Alex

On Monday, July 14, 2025 at 8:54:50 AM UTC-7 riz...@google.com wrote:
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Philip Jägenstedt

unread,
Jul 16, 2025, 1:40:44 PMJul 16
to Alex Russell, blink-dev, Chris Harrelson, riz...@google.com, Mike Taylor, James Bradley, Mike Taylor
LGTM3

On Wed, Jul 16, 2025 at 5:29 PM Alex Russell <sligh...@chromium.org> wrote:
Mike Taylor was kind enough to answer all my questions regarding non-Google browsers in today's API OWNERS meeting. LGTM2.

On Wednesday, July 16, 2025 at 8:28:24 AM UTC-7 Chris Harrelson wrote:
LGTM1

On Wed, Jul 16, 2025 at 8:18 AM Alex Russell <sligh...@chromium.org> wrote:
Thanks. What's the story for non-Google browsers?

On Monday, July 14, 2025 at 1:08:39 PM UTC-7 riz...@google.com wrote:
Thanks, Alex, I've updated the review bits in the tool. 

We are currently targeting this work for Chrome's Incognito mode only. Users will not be able to pick their proxy, but they will be able to turn off the feature. 

On Mon, Jul 14, 2025 at 2:18 PM Alex Russell <sligh...@chromium.org> wrote:
This is exciting work, and I'm inclined to LGTM. There are some reviews that need to be kicked off within the tool for us to be able to move forward; let us know if you need help.

On the meat of the work, are you going to be launching this feature with any other Chromium browsers, either with Google as a proxy or using the same code paths with alternate proxies? And do you envision that users will be able to pick their proxy?

Best,

Alex

On Monday, July 14, 2025 at 8:54:50 AM UTC-7 riz...@google.com wrote:
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f0bc64f7-27d8-44ac-930d-ccc18524cc85n%40chromium.org.
Reply all
Reply to author
Forward
0 new messages