My presentation titled "Browsers eat data quality for breakfast" from SuperWeek 2020.
The presentation introduces the "tracking protection / prevention / blocking" mechanisms implemented in the major browsers.
The information comes from the www.cookiestatus.com service.
13. Graphic adapted from https://web.dev/samesite-cookies-explained/
https://page.somedomain.com/
https://page.otherdomain.com/
https://page.thirddomain.com/
https://image.cdn.com/image.gif
All pages include a request to the third-party resource, thus including
all cookies written on the third-party domain, enabling cross-site tracking.
51. Manage ad frequency
Build graphs and comprehensive audience profiles
Cookie matching/syncing
View-through attribution
Target ads
52. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
53. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
54. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows
55. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows
State in embedded services
56. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows
State in embedded services
Multi-purpose scripts
57. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows
State in embedded services
Multi-purpose scripts
1st party data collection
58. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows
State in embedded services
Multi-purpose scripts
1st party data collection
Tag management
59. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows
State in embedded services
Multi-purpose scripts
1st party data collection
Tag management
Client-side state
60. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows
State in embedded services
Multi-purpose scripts
1st party data collection
Tag management
Client-side state
Data quality
61. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows
State in embedded services
Multi-purpose scripts
1st party data collection
Tag management
Client-side state
Data quality
62. Manage ad frequency
Build graphs and comprehensive audience profiles
Cross-site tracking
Cookie matching/syncing
View-through attribution
Target ads
Analytics integrations
SSO / login flows
State in embedded services
Multi-purpose scripts
1st party data collection
Tag management
Client-side state
Data quality
65. Block Restrict
Brave
3rd party context
Strips all cookies from 3P
requests.
Blocks all requests to
domains in filter lists.
Strips cross-site referrers
in navigational requests.
Spoofs cross-site referrers
in subresource HTTP requests.
Strips fbclid, gclid, msclkid, mc_eid
parameters from request URLs.
67. Block Restrict
Brave
3rd party context
Cookies, requests, referrers Referrers
Chrome - -
Blocks cookies in 3P
context if target domain
is classified (on-device
and/or globally), with
mitigations (widget inter-
actions, redirects, oAuth
flows).
Other cookies set to 1h
expiration if no interaction
with site in 1P context.
Strips potential user identifiers
from request URLs, unless in
global safe set.
Downgrades referrer to origin
in cross-origin requests.
Cliqz
69. Block Restrict
Brave
3rd party context
Cookies, requests, referrers Referrers
Chrome - -
Cliqz Cookies Cookies, request URLs
Edge
Blocks cookies in 3P
requests if target domain
in Trust Protection Lists,
with mitigations for
engagement and same-org.
Blocks all script-writable
storage with same
conditions as above.
Blocks requests to
Fingerprinting and
Cryptomining domains.
71. Block Restrict
Brave
3rd party context
Cookies, requests, referrers Referrers
Chrome - -
Cliqz Cookies Cookies, request URLs
Edge Cookies, storage, requests -
Firefox
Blocks cookies in 3P
requests if target domain
classified in Disconnect.me.
Blocks requests to
Cryptomining category.
Blocks requests if domain
in Fingerprinting and
Tracking category.
Blocks localStorage and
IndexedDB for classified
domains.
73. Block Restrict
Brave
3rd party context
Cookies, requests, referrers Referrers, request URLs
Chrome - -
Cliqz Cookies Cookies, request URLs
Edge Cookies, storage, requests -
Firefox Cookies, storage, requests -
Safari
Blocks cookies if no prior
cookies set.
Blocks cookies if no
interaction with site in 1P.
Blocks cookies if
classified by ITP (except
with Storage Access API).
Blocks IndexedDB.
Partitioned and ephemeral
localStorage.
Downgrade referrer to origin
on subresource HTTP requests.
Downgrade referrer to eTLD+1
if referring page classified with
URL decoration.
78. Block Restrict
Brave
1st party context
Cookies, requests, referrers Referrers
Chrome - -
Non-HttpOnly cookies expire
in 7 days.
HttpOnly cookies expire in 30
days.
Cookies set on classified
domains that are visited
infrequently expire in 7 days.
Cookies set on classified
domains that are visited
frequently expire in 30 days.
Cliqz
80. Block Restrict
Brave
1st party context
Cookies, requests, referrers Referrers, request URLs
Chrome - -
Cliqz Cookies Cookies, request URLs
Edge Cookies, storage, requests -
Firefox Cookies, storage, requests -
Safari
Cookies set with JavaScript
expire in 7 days.
Cookies set with JavaScript
when referring domain is
classified and URL has link
decoration expire in 24 hours.
Other browser storage is
expired in 7 days since last
interaction if referring domain
is classified and URL has
link decoration.
81. Block Restrict
Brave
1st party context
- Cookies
Chrome - -
Cliqz - Cookies
Edge - -
Firefox - -
Safari - Cookies, storage
90. DO
-Periodically audit the use of client-side state in your sites, services, and applications. Avoid
over-reliance; use HttpOnly where possible, then HTTP headers, then JS.
-Figure out how to incentivize logging in.
-Set cookies you need in third-party context to SameSite=None;Secure, with fallbacks
for unsupported browsers.
- Utilize Storage Access API for access to third-party storage.
-Consider the browser as a manifestation of the user’s desire and intent with regard to
tracking. Err on the side of as much privacy as possible.
-No evil.
91. DO NOT
-Look at "server-side analytics" as a silver bullet.
-Ignore small market share web browsers.
-Expect tracking prevention development to settle / slow down.
-Spread FUD about the impact of these measures without empirical data to back it up with.
-Expect that browsers will handle the ethical / legal side of data collection for you.
-Think that browsers have got tracking prevention "right"