Contact emails riz...@google.com, mk...@chromium.org
Explainer https://github.com/explainers-by-googlers/script-blocking Specification https://github.com/whatwg/fetch/pull/1840 Summary Mitigating API Misuse for Browser Re-Identification, otherwise known as Script Blocking, is a feature that will block scripts engaging in known, prevalent techniques for browser re-identification in third-party contexts. These techniques typically involve the misuse of existing browser APIs to extract additional information about the user's browser or device characteristics. To strike this balance between protection and usability, this proposal focuses on blocking scripts in a third-party context in Incognito mode, enhancing Incognito's protections against cross-site tracking when users choose to browse in this mode. This proposal uses a list-based approach, where only domains marked as “Impacted by Script Blocking” on the Masked Domain List <https://github.com/GoogleChrome/ip-protection/blob/main/Masked-Domain-List.md> (MDL) in a third-party context will be impacted. When the feature is enabled, Chrome will check network requests against the blocklist. This feature will reuse Chromium's subresource_filter component, which is responsible for tagging and filtering subresource requests based on page-level activation signals and a ruleset used to match URLs for filtering. 1% Experiment Summary Our 1% stable Incognito experiment did not show any statistically significant movement for Incognito-specific Core Web Vitals. Furthermore, we did not receive any breakage reports pertaining to this experiment. As the feature is only enabled for third party resources in Incognito sessions, the sample size is smaller than we typically observe in a 1% experiment. We plan to carefully ramp the experiment to evaluate performance and stability impact before launching to Incognito 100%. Blink component Blink>Network>FetchAPI TAG review https://github.com/w3ctag/design-reviews/issues/1114 TAG review status Closed (resolution: decline) Risks Interoperability and Compatibility There shouldn’t be any interop concerns. In terms of compatibility, this feature is anticipated to have an impact on websites that rely on scripts from domains identified as serving fingerprinting techniques. Sites that integrate third-party scripts from identified domains may experience functional breakage or render incorrectly when accessed in Incognito mode. We are attempting to mitigate this risk by applying temporary exceptions if we determine that the intervention on a particular domain may cause significant user experience impact. Gecko: No signal WebKit: Shipped/Shipping Safari has a similar feature as part of "Intelligent Tracking Prevention" (ITP) Firefox: Shipped/Shipping Firefox has a similar feature as part of "Enhanced Tracking Protection" Web developers: <will fill out after explainer publication> WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? No, we are not proposing to ship this on WebView. Debuggability We have added support in DevTools Issues to indicate which requests are being blocked by this feature. We also have chrome://flags/#enable-fingerprinting-protection-blocklist-incognito which developers and users can use for testing suspected breakage even before we ship. Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)? No. We plan to launch this on all Blink platforms except WebView. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? We are exploring ways to test this feature via WPT. This isn’t possible today given the implementation-defined nature of blocked resources. Some explorations are discussed here <https://explainers-by-googlers.github.io/script-blocking/#testing>. Flag name on about://flags chrome://flags/#enable-fingerprinting-protection-blocklist-incognito Finch feature name EnableFingerprintingProtectionInIncognito Rollout plan (RARE) Experiment users ramp up over time Requires code in //chrome? False Tracking bug https://issues.chromium.org/issues/431761692 <https://issues.chromium.org/issues/370696608> Launch bug https://launch.corp.google.com/launch/4367306 Estimated milestones Shipping on Desktop 140 Shipping on Android 140 Anticipated spec changes Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way). None Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5188989497376768 Links to previous Intent discussions Intent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/NJvGkSvLk8I?e=48417069 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFhOYsg6hE9bT1G475xZdTscHnFuFqvF3Eobz0q7QJHF7hGf9A%40mail.gmail.com.
