Will this be enabled for all Chromium browsers by default? On Monday, July 14, 2025 at 8:54:57 AM UTC-7 riz...@google.com wrote:
> Contact emails > > riz...@google.com, mk...@chromium.org > > Explainer > > https://github.com/explainers-by-googlers/script-blocking > > Specification > > https://github.com/whatwg/fetch/pull/1840 > > Summary > > Mitigating API Misuse for Browser Re-Identification, otherwise known as > Script Blocking, is a feature that will block scripts engaging in known, > prevalent techniques for browser re-identification in third-party contexts. > These techniques typically involve the misuse of existing browser APIs to > extract additional information about the user's browser or device > characteristics. > > To strike this balance between protection and usability, this proposal > focuses on blocking scripts in a third-party context in Incognito mode, > enhancing Incognito's protections against cross-site tracking when users > choose to browse in this mode. > > This proposal uses a list-based approach, where only domains marked as > “Impacted by Script Blocking” on the Masked Domain List > <https://github.com/GoogleChrome/ip-protection/blob/main/Masked-Domain-List.md> > > (MDL) in a third-party context will be impacted. > > When the feature is enabled, Chrome will check network requests against > the blocklist. This feature will reuse Chromium's subresource_filter > component, which is responsible for tagging and filtering subresource > requests based on page-level activation signals and a ruleset used to match > URLs for filtering. > > 1% Experiment Summary > > Our 1% stable Incognito experiment did not show any statistically > significant movement for Incognito-specific Core Web Vitals. Furthermore, > we did not receive any breakage reports pertaining to this experiment. > > As the feature is only enabled for third party resources in Incognito > sessions, the sample size is smaller than we typically observe in a 1% > experiment. We plan to carefully ramp the experiment to evaluate > performance and stability impact before launching to Incognito 100%. > > Blink component > > Blink>Network>FetchAPI > > TAG review > > https://github.com/w3ctag/design-reviews/issues/1114 > > TAG review status > > Closed (resolution: decline) > > > Risks > > Interoperability and Compatibility > > There shouldn’t be any interop concerns. > > In terms of compatibility, this feature is anticipated to have an impact > on websites that rely on scripts from domains identified as serving > fingerprinting techniques. Sites that integrate third-party scripts from > identified domains may experience functional breakage or render incorrectly > when accessed in Incognito mode. We are attempting to mitigate this risk by > applying temporary exceptions if we determine that the intervention on a > particular domain may cause significant user experience impact. > > Gecko: No signal > > WebKit: Shipped/Shipping Safari has a similar feature as part of > "Intelligent Tracking Prevention" (ITP) > > Firefox: Shipped/Shipping Firefox has a similar feature as part of > "Enhanced Tracking Protection" > > Web developers: <will fill out after explainer publication> > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > No, we are not proposing to ship this on WebView. > > Debuggability > > We have added support in DevTools Issues to indicate which requests are > being blocked by this feature. > > We also have > chrome://flags/#enable-fingerprinting-protection-blocklist-incognito which > developers and users can use for testing suspected breakage even before we > ship. > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)? > > No. We plan to launch this on all Blink platforms except WebView. > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? > > We are exploring ways to test this feature via WPT. This isn’t possible > today given the implementation-defined nature of blocked resources. Some > explorations are discussed here > <https://explainers-by-googlers.github.io/script-blocking/#testing>. > > Flag name on about://flags > > chrome://flags/#enable-fingerprinting-protection-blocklist-incognito > > Finch feature name > > EnableFingerprintingProtectionInIncognito > > Rollout plan > > (RARE) Experiment users ramp up over time > > Requires code in //chrome? > > False > > Tracking bug > > https://issues.chromium.org/issues/431761692 > <https://issues.chromium.org/issues/370696608> > > > Launch bug > > https://launch.corp.google.com/launch/4367306 > > Estimated milestones > > Shipping on Desktop > > 140 > > Shipping on Android > > 140 > > Anticipated spec changes > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > > None > > Link to entry on the Chrome Platform Status > > https://chromestatus.com/feature/5188989497376768 > > Links to previous Intent discussions > > Intent to Experiment: > https://groups.google.com/a/chromium.org/g/blink-dev/c/NJvGkSvLk8I?e=48417069 > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/394036a0-62f9-4bae-b43d-4fad88cf50adn%40chromium.org.
