Navigational Tracking is a common technique for tracking individual users by passing information alongside cross-site navigations. The query string is one of the tracking surfaces, trackers can append a tracking identifier to the query string and a tracking script on the destination page can recognize users using the identifier in the query string.
To combat this, the Anti-Tracking team is building a prototype for URL query string stripping. This prototype would provide an infrastructure which allows Firefox to strip tracking query strings from the URL on top-level navigation, based on a blocklist.
A real example: All outbound links from Facebook.com will be appended a query string “fbclid” which is known as Facebook Click Id and it’s unique for each user. So, if a user visiting facebook.com clicks a link to “example.com”, Facebook will change the link to “example.com?fbclid=ABC”. The Facebook tracking script embedded on example.com can read “fbclid” from the query string and use it to track the user in a similar manner to third-party cookie tracking.
The URLQueryStringStripper module will be responsible for taking the query strings and returning stripped query strings. The stripping will be applied on top-level navigations, including
Open a new tab.
Navigation by clicking a link.
To avoid massive web breakage, we will follow certain rules when doing the stripping.
The query stripping only applies for top-level navigations
We don’t strip query string for same-site navigations
To stay in control of breakage and web ecosystem impact we use a list based approach for specifying the names of the parameters to strip. The list will be served by a pref value and/or Remote Setting.
The prototype was implemented in Nightly 91 and it is prefed off by default while we work on confirming an initial list to ship to our Nightly users. People who want to try it out can flip the pref ‘privacy.query_stripping.enabled’ to enable it and add the query strings in pref ‘privacy.query_stripping.strip_list’. Note that the strip list is using a space as a delimiter.
Brave has built Query String Filter
Chrome and Safari haven’t implemented this yet.
You received this message because you are subscribed to the Google Groups "dev-pl...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADYDTCB8gh7GjVpx9pMLD5pqpDjc%3DgeqkyRJzvcK2KZpwNFSgg%40mail.gmail.com.
Might this (or a future not-quite-list-based version) have an effect on attributed downloads? I know we use attribution in product downloads to determine the efficacy of marketing campaigns (as a non-exhaustive example).
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADYDTCAPZO6jUNbYnzhmO2YS1DOordR7H6yE0Amoi4Lsq7-FxQ%40mail.gmail.com.
a publicly visible list of stripped identifiers, though I doubt that any non-expert users can utilize it to fix breakage
(Brave's list is also simply embedded in its source code).
To dveditz's points:> Are you tracking users, or campaigns?Me personally? Neither : ) But to my knowledge from helping with the implementation of attribution collection in Firefox Telemetry the answer is campaigns (and other things on that order). Basically `utm_` params.> do you track cross-site?Again, not me personally : ) But we may have partners driving us traffic, and we may host the installer on non-first-party eTLD+1s for, I dunno, CDN reasons? (not sure we do for Desktop, but we don't host our own packages for Android and iOS as you'd imagine. App Stores. Ick.).> Are you likely to use fbclid= or other known tracker to do so?I doubt that very much. To my knowledge we're interested in campaign/experiment/branch-level efficacy measurement, not user-level tracking.