Contact emailsriz...@google.com, mk...@chromium.org

Explainerhttps://github.com/explainers-by-googlers/script-blocking

Specification
https://github.com/explainers-by-googlers/script-blocking/blob/main/index.bs

Summary

Mitigating API Misuse for Browser Re-Identification, otherwise known as
Script Blocking is a feature that will block scripts engaging in known,
prevalent techniques for browser re-identification in third-party contexts.
These techniques typically involve the misuse of existing browser APIs to
extract additional information about the user's browser or device
characteristics.

To strike this balance between protection and usability, this proposal
focuses on blocking scripts in a third-party context in Incognito mode.
This proposal uses a list-based approach, where only domains marked as
“Impacted by Script Blocking” on the Masked Domain List (MDL)
<https://github.com/GoogleChrome/ip-protection/blob/main/Masked-Domain-List.md>
in a third-party context will be impacted.

When the feature is enabled, Chrome will check network requests against the
blocklist.  This feature will reuse Chromium's subresource_filter
component, which is responsible for tagging and filtering subresource
requests based on page-level activation signals and a ruleset used to match
URLs for filtering.

Blink componentBlink>Network>FetchAPI
<https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ENetwork%3EFetchAPI%22>

TAG reviewhttps://github.com/w3ctag/design-reviews/issues/1114

TAG review statusPending

Risks


Interoperability and Compatibility

There shouldn’t be any interop concerns. In terms of compatibility, this
feature is anticipated to have an impact on websites that rely on scripts
from domains identified as serving fingerprinting techniques. Sites that
integrate third-party scripts from identified domains may experience
functional breakage or render incorrectly when accessed in Incognito mode.


*Gecko*: Shipped/Shipping (
https://support.mozilla.org/en-US/kb/trackers-and-scripts-firefox-blocks-enhanced-track
)

*WebKit*: Shipped/Shipping (
https://webkit.org/tracking-prevention/#private-browsing-mode)

*Web developers*: No signals

*Other signals*:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that
it has potentially high risk for Android WebView-based applications?

None


Goals for experimentation

We will run a 1% stable experiment for users when in Incognito mode. Our
motivation is functional in nature: we would like to better understand the
breakage impact on sites, performance impact of checking requests against a
blocklist, as well as testing that updates to the MDL, such as domain
additions and removals (from changes to Disconnect's source lists or
successful appeals) propagate to Chrome clients.

We will consider site breakage rates (indicated via user reports,
aggregated UMA logging) as well as performance metrics (e.g., page load
time, memory usage).

Ongoing technical constraints

None


Debuggability

We have added support in DevTools Issues to indicate which requests are
being blocked by this feature. We also have
chrome://flags/##enable-fingerprinting-protection-blocklist-incognito which
developers and users can use for testing suspected breakage.


Will this feature be supported on all six Blink platforms (Windows, Mac,
Linux, ChromeOS, Android, and Android WebView)?No

We plan to launch this on all Blink platforms except WebView.


Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>
?No

We are exploring ways to test this feature via WPT. We want to test the
correct integration and ordering of the script blocking mechanism within
the Fetch API.


Flag name on about://flagsEnable Fingerprinting Protection Blocklist In
Incognito

Finch feature nameEnableFingerprintingProtectionInIncognito

Requires code in //chrome?True

Tracking bughttps://g-issues.chromium.org/issues/411138638

Launch bughttps://launch.corp.google.com/launch/4367306

Estimated milestones

We would like to run the experiment from M137 to M142 inclusive.

Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5188989497376768?gate=5165545720381440

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFhOYsgKDRo%3D0g%2BtJpej_ET0_2Ed20B407myiu%3D%2BicVnB7JboQ%40mail.gmail.com.

Reply via email to