privacycg / nav-tracking-mitigations

Navigation-based Tracking Mitigations
https://privacycg.github.io/nav-tracking-mitigations/
35 stars 16 forks source link

navigation-tracking mitigations described for safari #19

Closed wanderview closed 2 years ago

wanderview commented 2 years ago

Are the navigational-tracking mitigations described for safari here accurate?

https://privacycg.github.io/nav-tracking-mitigations/#mitigations-safari

There it talks about wiping storage for destination sites if the previous source site was tracking. This does not line up with what is described in webkit's ITP blog post under "Protection Against First Party Bounce Trackers":

https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/#:~:text=Protection%20Against%20First%20Party%20Bounce%20Trackers

Specifically, that blog post suggests its the tracker site that is wiped, not the destination.

johnwilander commented 2 years ago

Hi!

What you're referring to is in effect. However, as for deletion of website data for destination sites, you may be referring to this from our documentation:

Detection of Cross-Site Tracking Via Link Decoration Some trackers add so called “click IDs” as URL parameters in links and pick them up through JavaScript on the link destination website. Then they store the click IDs in one of the storage forms available. That way they can establish a user identity across websites. This is called cross-site tracking via link decoration.

ITP detects such link decoration and caps the expiry of cookies created in JavaScript on the landing webpage to 24 hours.

… or you may be referring to this in the same documentation:

7-Day Cap on All Script-Writeable Storage Trackers executing script in the first-party context often make use of first-party storage to save and recall cross-site tracking information. Therefore, ITP caps the expiry of all cookies created in JavaScript to 7 days and deletes all other script-writeable storage after 7 days of no user interaction with the website. The latter storage forms are:

IndexedDB LocalStorage Media keys SessionStorage Service Worker registrations and cache

johannhof commented 2 years ago

Also, IIUC, Safari days of "no user interaction" is not counted per calendar day but rather per usage day, right, @johnwilander?