{"id":26654,"date":"2019-09-23T16:46:24","date_gmt":"2019-09-23T20:46:24","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=26654"},"modified":"2019-09-25T14:16:05","modified_gmt":"2019-09-25T18:16:05","slug":"intelligent-tracking-prevention-2-3","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2019\/09\/23\/intelligent-tracking-prevention-2-3\/","title":{"rendered":"Intelligent Tracking Prevention 2.3"},"content":{"rendered":"

John Wilander<\/a>:<\/p>\n

\n

By limiting the ability to use any<\/em> script-writeable storage for cross-site tracking purposes, ITP 2.3 makes sure that third-party scripts cannot leverage the storage powers they have gained over all these websites.<\/p>\n

[…]<\/p>\n

Our research has found that trackers, instead of decorating the link of the destination page, decorate their own referrer URL and read the tracking ID through document.referrer<\/code> on the destination page.<\/p>\n

ITP 2.3 counteracts this by downgrading document.referrer<\/code> to the referrer’s eTLD+1 if the referrer has link decoration and the user was navigated from a classified domain. Say the user is navigated from social.example to website.example and the referrer is https:\/\/sub.social.example\/some\/path\/?clickID=0123456789<\/code>. When social.example’s script on website.example reads document.referrer<\/code> to retrieve and store the click ID, ITP will make sure only https:\/\/social.example<\/code> is returned.<\/p>\n

[…]<\/p>\n

Safari on macOS Catalina now has ITP Debug Mode.<\/p>\n

[…]<\/p>\n

Our blog post on ITP 2.1<\/a> provided guidance on how to protect cookies. We specifically encourage the use of Secure and HttpOnly cookies<\/a>.<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n