privacycg / nav-tracking-mitigations

Navigation-based Tracking Mitigations
https://privacycg.github.io/nav-tracking-mitigations/
35 stars 16 forks source link

Bypassing classification by redirect through new tab or popup #50

Closed Trikolon closed 1 year ago

Trikolon commented 1 year ago

Looking at the spec wouldn't it be possible to avoid bounce tracker classification by performing redirects through a popup or a new tab (e.g. target=_blank)?

Consider the following redirect chain: A.example -> Tracker.example -> B.example (shown below) Since bounce tracking records are kept per-tab opening a popup would lead to the creation of a new record (for Window 2) with initialHost = "Tracker.example". On extended navigation end, when running the record stateful bounces algorithm Tracker.example would then be excluded since it's set as initialHost.

image

To prevent this bypass we could copy the bounce tracking record to the new tab / window.

amaliev commented 1 year ago

Thanks for calling this out! I forgot to add a note to the spec, but we are planning to add handling for links in new windows, new tabs, and popups in an upcoming PR. I like your suggestion of copying the bounce tracking record to the new window - that's simple enough and preserves the correct initial host and final host for the storage access set.

wanderview commented 1 year ago

FWIW, I think we've been mostly focused on same-tab redirections so far. We plan to work on popup flows in the future.

I would advocate for leaving this as a TODO in the spec for now until we've had time to evaluate what use cases and sites this would impact.

amaliev commented 1 year ago

Sorry, I misunderstood earlier - our immediate plan is to add handling for extended navigations starting from a new tab, window, etc., or another opaque origin. Agree with Ben that the case of extended navigations through a new tab still needs further exploration.

amaliev commented 1 year ago

For the case where a popup opens on a tracking site, we can set the initial host of the new bounce tracking record to the site which the popup was opened from. This prevents the bypass in a simpler fashion than copying the entire bounce tracking record.