Thanks, Alex, I've updated the review bits in the tool. We are currently targeting this work for Chrome's Incognito mode only. Users will not be able to pick their proxy, but they will be able to turn off the feature.
On Mon, Jul 14, 2025 at 2:18 PM Alex Russell <slightly...@chromium.org> wrote: > This is exciting work, and I'm inclined to LGTM. There are some reviews > that need to be kicked off within the tool for us to be able to move > forward; let us know if you need help. > > On the meat of the work, are you going to be launching this feature with > any other Chromium browsers, either with Google as a proxy or using the > same code paths with alternate proxies? And do you envision that users will > be able to pick their proxy? > > Best, > > Alex > > On Monday, July 14, 2025 at 8:54:50 AM UTC-7 riz...@google.com wrote: > >> Contact emailsmiketa...@chromium.org, jhbrad...@google.com, >> riz...@google.com >> >> Explainer >> https://github.com/GoogleChrome/ip-protection/blob/main/README.md >> >> Specification >> >> None. While Apple does ship a similar feature, we believe that we need >> the experience that comes with shipping before attempting standardization >> or alignment of architectures. See the relevant discussion in the TAG >> review >> <https://github.com/w3ctag/design-reviews/issues/1083#issuecomment-2891647225> >> . >> >> Summary >> >> IP Protection is a feature that limits availability of a user’s original >> IP address in third party contexts in Incognito mode, enhancing Incognito's >> protections against cross-site tracking when users choose to browse in this >> mode. >> >> IP addresses are essential to the basic functioning of the web, notably >> for routing traffic and to prevent fraud and spam. However, like >> third-party cookies, they can also be used for tracking. For Chrome users >> who choose to browse in Incognito mode, we wanted to provide additional >> control over their IP address, without breaking essential web functionality. >> >> To strike this balance between protection and usability, this proposal >> focuses on limiting the use of IP addresses in a third-party context in >> Incognito Mode. To that end, this proposal uses a list-based approach, >> where only domains on the Masked Domain List >> <https://github.com/GoogleChrome/ip-protection/blob/main/Masked-Domain-List.md> >> (MDL) >> in a third-party context will be impacted. >> >> 1% Experiment Summary >> >> Our 1% stable Incognito experiment did not show any statistically >> significant movement for Core Web Vitals or increase in crashes on both >> Desktop and Android platforms. >> >> As the feature is only enabled for a subset of traffic (domains on the >> Masked Domain List) for Incognito sessions, the sample size is smaller than >> we typically observe in a 1% experiment. We plan to carefully ramp the >> experiment to evaluate performance and stability impact before launching to >> Incognito 100%. >> >> >> Blink component >> >> Internals>Network>Proxy >> <https://issues.chromium.org/issues?q=customfield1222907:%22Internals%3ENetwork%3EProxy%22> >> >> >> TAG review >> >> https://github.com/w3ctag/design-reviews/issues/1083 >> >> >> TAG review status >> >> Closed (resolution: decline) >> >> >> Risks >> >> >> >> Interoperability and Compatibility >> >> There shouldn’t be any interop concerns, as we’re routing certain traffic >> through a series of proxies. >> >> >> In terms of compatibility, there are a few possible risks, namely >> assigning the incorrect geo >> <https://github.com/GoogleChrome/ip-protection/blob/main/Explainer-IP-Geolocation.md> >> on egress. However, this would be considered a bug in our services (to be >> fixed server side when discovered), not a consequence of the feature >> itself. Another risk might be that these IP ranges aren’t recognized and >> certain traffic is incorrectly blocked or a user loses access to a >> resource. We have published our geofeed >> <https://www.gstatic.com/ipprotection/geofeed> as one mitigation for >> this risk. >> >> >> Gecko: No signal >> >> >> WebKit: Shipped/Shipping Safari has a similar feature called iCloud >> Private Relay. >> >> >> Web developers: Mixed signals There are some different views in the >> various open and closed issues at >> https://github.com/GoogleChrome/ip-protection/issues. They range from >> neutral (questions about user choice, impact on anti-fraud/anti-abuse use >> cases, etc.) to negative (questions around the ability to trust the system). >> >> >> Other signals: >> >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> None >> >> >> >> Debuggability >> >> We display which requests are proxied in the DevTools Network panel (when >> IP Protection is enabled). Proxied requests can also be debugged via >> netlogs. >> >> >> We also have chrome://flags/#ip-protection-proxy-opt-out which developers >> or users can use for testing suspected breakage. >> >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)? >> >> No >> >> We plan to launch this on all Blink platforms except WebView. >> >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? >> >> No, and there isn’t any API to be tested. So we don’t plan to add any. >> >> >> Flag name on about://flags >> >> None >> >> >> Finch feature name >> >> EnableIpPrivacyProxy >> >> >> Rollout plan >> >> (RARE) Experiment users ramp up over time >> >> >> Requires code in //chrome? >> >> False >> >> >> Tracking bug >> >> https://issues.chromium.org/issues/370696608 >> >> >> Launch bug >> >> https://launch.corp.google.com/launch/4403761 >> >> >> Estimated milestones >> >> Shipping on desktop >> >> 140 >> >> Shipping on Android >> >> 140 >> >> >> Anticipated spec changes >> >> Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way). >> >> None >> >> >> Link to entry on the Chrome Platform Status >> >> https://chromestatus.com/feature/6574194264899584 >> <https://chromestatus.com/feature/6574194264899584?gate=6525820887105536> >> >> >> Links to previous Intent discussions >> >> Intent to Experiment: >> https://groups.google.com/a/chromium.org/g/blink-dev/c/9s8ojrooa_Q/m/I6Rj5UTZBgAJ >> >> >> https://groups.google.com/a/chromium.org/g/blink-dev/c/gBL-Nce3g9c?e=48417069 >> >> >> >> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFhOYsi%3DLEgzcjeUDiVZ-v_QN9T5m_fs0a%2B-1gack8zWJKOBHg%40mail.gmail.com.
