fmarier
commented
4 years ago Unless we find examples of this being used in a cross-site setting, let's leave it out of the filter.
Closed fmarier closed 2 years ago
fmarier
commented
4 years ago Unless we find examples of this being used in a cross-site setting, let's leave it out of the filter.
pes10k
commented
2 years ago reopening because we now believe this is a cross site tracker
fmarier
commented
2 years ago We have expanded our tracking policy to include query parameters designed (or found to do so in practice) to leak a user's identity across sites: https://github.com/brave/brave-browser/wiki/Query-String-Filter/_compare/fd2df157796d6ca530442adf22ff9359048500f2...bc1adef4bce2a60c357c37927e5f4d8959ca3880
stephendonner
commented
2 years ago Verified PASSED using
| Brave | 1.35.56 Chromium: 97.0.4692.56 (Official Build) nightly (64-bit) |
|---|---|
| Revision | 04da6c66398ca50e603cc236a07dc7dfd3bbc750-refs/branch-heads/4692@{#990} |
| OS | Windows 10 Version 20H2 (Build 19042.1415) |
Steps:
https://www.instagram.com/p/CDtn9hcAYpm/?igshid=1bjglumson2t5Confirmed the ?igshid=1bjglumson2t5 was dropped via an internal redirect.
stephendonner
commented
2 years ago Verified PASSED using Brave 1.35.68, Chromium 97.0.4692.56 on a Google Pixel XL running Android 9.0.
Steps:
1.35.68http://instagram.com/p/CDtn9hcAYpm/?igshid=1bjglumson2t5Confirmed the tracking param ?igshid=1bjglumson2t5 was not present in the URL bar.
| example | example |
|---|---|
 |
 |
Verification passed on Samsung Tab A with Android 10 running 1.35.77 x64 beta build
alfredonodo
commented
1 year ago According to this site https://privacytests.org/, Brave no longer blocks igshid. Is there a problem? Thank you
pes10k
commented
1 year ago @alfredonodo no this is not expected, thank you for the heads up. We will get this fixed immediately cc @arthuredelstein
pes10k
commented
1 year ago Hello @alfredonodo , we've looked into this and the issue is with the test (the instragram share id does not appear, as best as we can tell, to be used for cross site tracking, its used for tracking user shares w/in instagram). Brave still correctly removes the instagram share id when its used for this within-instagram purpose.
My understanding is that privacytests.org is being updated to account for this, and that the test will be changed or removed in the next update.
Thank you again for reporting the issue @alfredonodo
The
igshidquery parameter was added to chrome-utm-stripper. There are lots of examples of it in the wild, and I have tested a few to confirm that removing or tampering with the parameter doesn't seem to change anything.However, I also haven't seen any evidence of this parameter on websites other than Instagram. There's not a lot of information about this tracker out there.