Intent to prototype: Bounce Tracking Mitigations

[Paul Zühlcke]

Summary:

Browser tracking protections, such as third-party cookie restrictions, can be bypassed using bounce tracking which uses short-lived top level redirects to persist first-party state. Gecko already ships Cookie Purging to mitigate this. We intend to prototype Bounce Tracking Protection - a new standardised variant of Cookie Purging that uses heuristics to detect bounce trackers, rather than relying on tracker lists.

We plan to enable the feature in Firefox Nightly by the end of the week. Please let me know if you have questions or concerns. You can also find us in #anti-tracking on Matrix.

Bug: Bug 1839915 [meta], Bug 1895222 - Enable in Nightly

Specification (draft): https://privacycg.github.io/nav-tracking-mitigations/#bounce-tracking-mitigations

Platform coverage: Firefox Desktop, Android (Fenix)

Preferences:

Enable the feature: privacy.bounceTrackingProtection.enabled = true
Enable tracker data purging: privacy.bounceTrackingProtection.enableDryRunMode = false

DevTools bugs:

• Bug 1844558 - Log a message to the web console if a site is classified as a potential bounce tracker

• Bug 1844561 - Log a message to the web console on first visit after a site's state has been purged

Link to standards-positions discussion: https://mozilla.github.io/standards-positions/#bounce-tracking-mitigations

Other browsers:

• Blink: "shipped" (since version 116, in contexts where 3rd-party cookies are restricted by default)

• WebKit: No signal (https://github.com/WebKit/standards-positions/issues/214)

web-platform-tests: Not implemented yet, blocked on https://github.com/web-platform-tests/wpt/issues/17489. The feature has Gecko tests.