Intent to Prototype: Bounce Tracking Mitigations on HTTP Cache

157 views
Skip to first unread message

Chromestatus

unread,
Dec 19, 2024, 11:06:54 AM12/19/24
to blin...@chromium.org, ort...@chromium.org, rtar...@chromium.org, sv...@chromium.org, wande...@chromium.org, l...@chromium.org

Contact emails

l...@chromium.org

Explainer

https://github.com/privacycg/nav-tracking-mitigations/issues/41#issuecomment-2504329542

Specification

https://privacycg.github.io/nav-tracking-mitigations/#bounce-tracking-mitigations

Summary

Bounce tracking mitigations for the HTTP cache is an extension to existing anti-bounce-tracking behavior. It removes the requirement that a suspected tracking site must have performed storage access in order to activate bounce tracking mitigations. Chrome's initially proposed bounce tracking mitigation solution triggers when a site accesses browser storage (e.g. cookies) during a redirect flow. However, bounce trackers can systematically circumvent such mitigations by using the HTTP cache to preserve data. By relaxing the triggering conditions for bounce tracking mitigations, the browser should be able to catch bounce trackers using the HTTP cache.



Blink component

Privacy>NavTracking

Motivation

It's possible to craft a bounce tracker that does not require cookie access and instead uses only the HTTP cache. As a result, there exists a class of bounce trackers that can systematically evade the initially-proposed bounce tracking mitigations. In the scenario where a redirect chain bounces to a stateless tracker that leverages the HTTP cache, the tracker can be caught after the proposed change of dropping the storage access triggering condition.



Initial public proposal

https://github.com/privacycg/nav-tracking-mitigations/issues/41

TAG review

None

TAG review status

Pending

Risks



Interoperability and Compatibility

None



Gecko: No signal

WebKit: No signal

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Is this feature fully tested by web-platform-tests?

No

Flag name on about://flags

None

Finch feature name

DIPS

Requires code in //chrome?

False

Tracking bug

https://crbug.com/40264244

Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/6299570819301376?gate=6301177648775168

This intent message was generated by Chrome Platform Status.
Reply all
Reply to author
Forward
0 new messages