Intent to Ship: IP Protection in Incognito using published Masked Domain list
Zainab Rizvi
Contact emails
mike...@chromium.org, jhbr...@google.com, riz...@google.comExplainer
https://github.com/GoogleChrome/ip-protection/blob/main/README.mdSpecification
None. While Apple does ship a similar feature, we believe that we need the experience that comes with shipping before attempting standardization or alignment of architectures. See the relevant discussion in the TAG review.
Summary
IP Protection is a feature that limits availability of a user’s original IP address in third party contexts in Incognito mode, enhancing Incognito's protections against cross-site tracking when users choose to browse in this mode.
IP addresses are essential to the basic functioning of the web, notably for routing traffic and to prevent fraud and spam. However, like third-party cookies, they can also be used for tracking. For Chrome users who choose to browse in Incognito mode, we wanted to provide additional control over their IP address, without breaking essential web functionality.
To strike this balance between protection and usability, this proposal focuses on limiting the use of IP addresses in a third-party context in Incognito Mode. To that end, this proposal uses a list-based approach, where only domains on the Masked Domain List (MDL) in a third-party context will be impacted.
1% Experiment Summary
Our 1% stable Incognito experiment did not show any statistically significant movement for Core Web Vitals or increase in crashes on both Desktop and Android platforms.
As the feature is only enabled for a subset of traffic (domains on the Masked Domain List) for Incognito sessions, the sample size is smaller than we typically observe in a 1% experiment. We plan to carefully ramp the experiment to evaluate performance and stability impact before launching to Incognito 100%.
Blink component
TAG review
https://github.com/w3ctag/design-reviews/issues/1083
TAG review status
Closed (resolution: decline)
Risks
Interoperability and Compatibility
There shouldn’t be any interop concerns, as we’re routing certain traffic through a series of proxies.
In terms of compatibility, there are a few possible risks, namely assigning the incorrect geo on egress. However, this would be considered a bug in our services (to be fixed server side when discovered), not a consequence of the feature itself. Another risk might be that these IP ranges aren’t recognized and certain traffic is incorrectly blocked or a user loses access to a resource. We have published our geofeed as one mitigation for this risk.
Gecko: No signal
WebKit: Shipped/Shipping Safari has a similar feature called iCloud Private Relay.
Web developers: Mixed signals There are some different views in the various open and closed issues at https://github.com/GoogleChrome/ip-protection/issues. They range from neutral (questions about user choice, impact on anti-fraud/anti-abuse use cases, etc.) to negative (questions around the ability to trust the system).
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Debuggability
We display which requests are proxied in the DevTools Network panel (when IP Protection is enabled). Proxied requests can also be debugged via netlogs.
We also have chrome://flags/#ip-protection-proxy-opt-out which developers or users can use for testing suspected breakage.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
No
We plan to launch this on all Blink platforms except WebView.
Is this feature fully tested by web-platform-tests?
No, and there isn’t any API to be tested. So we don’t plan to add any.
Flag name on about://flags
None
Finch feature name
EnableIpPrivacyProxy
Rollout plan
(RARE) Experiment users ramp up over time
Requires code in //chrome?
False
Tracking bug
https://issues.chromium.org/issues/370696608
Launch bug
https://launch.corp.google.com/launch/4403761
Estimated milestones
Shipping on desktop | 140 |
Shipping on Android | 140 |
Anticipated spec changes
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
None
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/6574194264899584
Links to previous Intent discussions
Intent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/9s8ojrooa_Q/m/I6Rj5UTZBgAJ
https://groups.google.com/a/chromium.org/g/blink-dev/c/gBL-Nce3g9c?e=48417069
Alex Russell
Zainab Rizvi
This is exciting work, and I'm inclined to LGTM. There are some reviews that need to be kicked off within the tool for us to be able to move forward; let us know if you need help.On the meat of the work, are you going to be launching this feature with any other Chromium browsers, either with Google as a proxy or using the same code paths with alternate proxies? And do you envision that users will be able to pick their proxy?Best,Alex
On Monday, July 14, 2025 at 8:54:50 AM UTC-7 riz...@google.com wrote:
Alex Russell
Thanks, Alex, I've updated the review bits in the tool.We are currently targeting this work for Chrome's Incognito mode only. Users will not be able to pick their proxy, but they will be able to turn off the feature.
On Mon, Jul 14, 2025 at 2:18 PM Alex Russell <sligh...@chromium.org> wrote:
This is exciting work, and I'm inclined to LGTM. There are some reviews that need to be kicked off within the tool for us to be able to move forward; let us know if you need help.On the meat of the work, are you going to be launching this feature with any other Chromium browsers, either with Google as a proxy or using the same code paths with alternate proxies? And do you envision that users will be able to pick their proxy?Best,Alex
On Monday, July 14, 2025 at 8:54:50 AM UTC-7 riz...@google.com wrote:
Chris Harrelson
Thanks. What's the story for non-Google browsers?
On Monday, July 14, 2025 at 1:08:39 PM UTC-7 riz...@google.com wrote:
Thanks, Alex, I've updated the review bits in the tool.We are currently targeting this work for Chrome's Incognito mode only. Users will not be able to pick their proxy, but they will be able to turn off the feature.
On Mon, Jul 14, 2025 at 2:18 PM Alex Russell <sligh...@chromium.org> wrote:
This is exciting work, and I'm inclined to LGTM. There are some reviews that need to be kicked off within the tool for us to be able to move forward; let us know if you need help.On the meat of the work, are you going to be launching this feature with any other Chromium browsers, either with Google as a proxy or using the same code paths with alternate proxies? And do you envision that users will be able to pick their proxy?Best,Alex
On Monday, July 14, 2025 at 8:54:50 AM UTC-7 riz...@google.com wrote:
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c3e9c4c4-7530-4c95-9749-24f646535024n%40chromium.org.
Alex Russell
LGTM1On Wed, Jul 16, 2025 at 8:18 AM Alex Russell <sligh...@chromium.org> wrote:
Thanks. What's the story for non-Google browsers?
On Monday, July 14, 2025 at 1:08:39 PM UTC-7 riz...@google.com wrote:
Thanks, Alex, I've updated the review bits in the tool.We are currently targeting this work for Chrome's Incognito mode only. Users will not be able to pick their proxy, but they will be able to turn off the feature.
On Mon, Jul 14, 2025 at 2:18 PM Alex Russell <sligh...@chromium.org> wrote:
This is exciting work, and I'm inclined to LGTM. There are some reviews that need to be kicked off within the tool for us to be able to move forward; let us know if you need help.On the meat of the work, are you going to be launching this feature with any other Chromium browsers, either with Google as a proxy or using the same code paths with alternate proxies? And do you envision that users will be able to pick their proxy?Best,Alex
On Monday, July 14, 2025 at 8:54:50 AM UTC-7 riz...@google.com wrote:
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Philip Jägenstedt
Mike Taylor was kind enough to answer all my questions regarding non-Google browsers in today's API OWNERS meeting. LGTM2.
On Wednesday, July 16, 2025 at 8:28:24 AM UTC-7 Chris Harrelson wrote:
LGTM1On Wed, Jul 16, 2025 at 8:18 AM Alex Russell <sligh...@chromium.org> wrote:
Thanks. What's the story for non-Google browsers?
On Monday, July 14, 2025 at 1:08:39 PM UTC-7 riz...@google.com wrote:
Thanks, Alex, I've updated the review bits in the tool.We are currently targeting this work for Chrome's Incognito mode only. Users will not be able to pick their proxy, but they will be able to turn off the feature.
On Mon, Jul 14, 2025 at 2:18 PM Alex Russell <sligh...@chromium.org> wrote:
This is exciting work, and I'm inclined to LGTM. There are some reviews that need to be kicked off within the tool for us to be able to move forward; let us know if you need help.On the meat of the work, are you going to be launching this feature with any other Chromium browsers, either with Google as a proxy or using the same code paths with alternate proxies? And do you envision that users will be able to pick their proxy?Best,Alex
On Monday, July 14, 2025 at 8:54:50 AM UTC-7 riz...@google.com wrote:
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c3e9c4c4-7530-4c95-9749-24f646535024n%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f0bc64f7-27d8-44ac-930d-ccc18524cc85n%40chromium.org.