Summary Navigational Tracking <https://webkit.org/tracking-prevention-policy/#types-of-tracking> is a common technique for tracking individual users by passing information alongside cross-site navigations. The query string is one of the tracking surfaces, trackers can append a tracking identifier to the query string and a tracking script on the destination page can recognize users using the identifier in the query string.
To combat this, the Anti-Tracking team is building a prototype for URL query string stripping. This prototype would provide an infrastructure which allows Firefox to strip tracking query strings from the URL on top-level navigation, based on a blocklist. A real example: All outbound links from Facebook.com will be appended a query string “fbclid” which is known as Facebook Click Id and it’s unique for each user. So, if a user visiting facebook.com clicks a link to “ example.com”, Facebook will change the link to “example.com?fbclid=ABC”. The Facebook tracking script embedded on example.com can read “fbclid” from the query string and use it to track the user in a similar manner to third-party cookie tracking. The URLQueryStringStripper module will be responsible for taking the query strings and returning stripped query strings. The stripping will be applied on top-level navigations, including - Open a new tab. - Navigation by clicking a link. - Window.open(). - Script navigation. - Redirect. To avoid massive web breakage, we will follow certain rules when doing the stripping. - The query stripping only applies for top-level navigations - We don’t strip query string for same-site navigations To stay in control of breakage and web ecosystem impact we use a list based approach for specifying the names of the parameters to strip. The list will be served by a pref value and/or Remote Setting. The prototype was implemented in Nightly 91 and it is prefed off by default while we work on confirming an initial list to ship to our Nightly users. People who want to try it out can flip the pref ‘privacy.query_stripping.enabled’ to enable it and add the query strings in pref ‘privacy.query_stripping.strip_list’. Note that the strip list is using a space as a delimiter. Standard None Platform coverage Desktop Preference privacy.query_stripping.enabled privacy.query_stripping.strip_list DevTools bug N/A Other browsers Brave has built Query String Filter <https://github.com/brave/brave-browser/wiki/Query-String-Filter> Chrome and Safari haven’t implemented this yet. Web-platform-tests N/A -- Tim Huang Mozilla email:[email protected] -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAFjL7MLreg6Dsk1tBvZDLArMRYacr3ujDfsxY-PfEqxxqj29ig%40mail.gmail.com.
