Identity sharding and URL parameter tracking

[ehsan]

Let's consider the following attack scenario:

• The user goes to site.example and login using a third-party login.adtech.example frame.
• site.example has a first-party script from analytics.adtech.example/analytics.js.
• After the successful login, login.adtech.example frame does a parent.postMessage() to communicate the user's PII to a message handler set up by analytics.js.
• The said message handler runs the loop in [1].
• The user clicks a link to news.example which also has analytics.adtech.example/analytics.js embedded.
• analytics.js looks at location.search to obtain the user's PII.
• Now the user's identity has been joined across sites.

[1] pseudo-code

  for (each link in document) {
    link.href = injectPII(link.href);
  }

[michaelkleber]

Indeed, so this is an example of joining that a browser should try to prevent. All three of the linked related works speak to various ways to try to cut down on "navigational tracking" / "link decoration". Some action against this threat would need to be a part of "Browsers impose limits [...] with the goal of preventing the joinability of these per-1p identities."