Yes, though Script Blocking in Incognito would have the same observable effect as extensions that block resources, such as ad blockers. The team is also adding monitoring to see if incognito detectability is on the rise due to these features.
On Mon, Jul 14, 2025 at 7:23 PM Gregg Tavares <g...@chromium.org> wrote: > Does this enable more detection of incognito mode by sites? > > On Mon, Jul 14, 2025 at 1:08 PM 'Zainab Rizvi' via blink-dev < > blink-dev@chromium.org> wrote: > >> Hi, Alex! This will only be enabled for Chrome's Incognito mode. >> >> On Mon, Jul 14, 2025 at 2:19 PM Alex Russell <slightly...@chromium.org> >> wrote: >> >>> Will this be enabled for all Chromium browsers by default? >>> >>> On Monday, July 14, 2025 at 8:54:57 AM UTC-7 riz...@google.com wrote: >>> >>>> Contact emails >>>> >>>> riz...@google.com, mk...@chromium.org >>>> >>>> Explainer >>>> >>>> https://github.com/explainers-by-googlers/script-blocking >>>> >>>> Specification >>>> >>>> https://github.com/whatwg/fetch/pull/1840 >>>> >>>> Summary >>>> >>>> Mitigating API Misuse for Browser Re-Identification, otherwise known as >>>> Script Blocking, is a feature that will block scripts engaging in known, >>>> prevalent techniques for browser re-identification in third-party contexts. >>>> These techniques typically involve the misuse of existing browser APIs to >>>> extract additional information about the user's browser or device >>>> characteristics. >>>> >>>> To strike this balance between protection and usability, this proposal >>>> focuses on blocking scripts in a third-party context in Incognito mode, >>>> enhancing Incognito's protections against cross-site tracking when users >>>> choose to browse in this mode. >>>> >>>> This proposal uses a list-based approach, where only domains marked as >>>> “Impacted by Script Blocking” on the Masked Domain List >>>> <https://github.com/GoogleChrome/ip-protection/blob/main/Masked-Domain-List.md> >>>> (MDL) in a third-party context will be impacted. >>>> >>>> When the feature is enabled, Chrome will check network requests against >>>> the blocklist. This feature will reuse Chromium's subresource_filter >>>> component, which is responsible for tagging and filtering subresource >>>> requests based on page-level activation signals and a ruleset used to match >>>> URLs for filtering. >>>> >>>> 1% Experiment Summary >>>> >>>> Our 1% stable Incognito experiment did not show any statistically >>>> significant movement for Incognito-specific Core Web Vitals. Furthermore, >>>> we did not receive any breakage reports pertaining to this experiment. >>>> >>>> As the feature is only enabled for third party resources in Incognito >>>> sessions, the sample size is smaller than we typically observe in a 1% >>>> experiment. We plan to carefully ramp the experiment to evaluate >>>> performance and stability impact before launching to Incognito 100%. >>>> >>>> Blink component >>>> >>>> Blink>Network>FetchAPI >>>> >>>> TAG review >>>> >>>> https://github.com/w3ctag/design-reviews/issues/1114 >>>> >>>> TAG review status >>>> >>>> Closed (resolution: decline) >>>> >>>> >>>> Risks >>>> >>>> Interoperability and Compatibility >>>> >>>> There shouldn’t be any interop concerns. >>>> >>>> In terms of compatibility, this feature is anticipated to have an >>>> impact on websites that rely on scripts from domains identified as serving >>>> fingerprinting techniques. Sites that integrate third-party scripts from >>>> identified domains may experience functional breakage or render incorrectly >>>> when accessed in Incognito mode. We are attempting to mitigate this risk by >>>> applying temporary exceptions if we determine that the intervention on a >>>> particular domain may cause significant user experience impact. >>>> >>>> Gecko: No signal >>>> >>>> WebKit: Shipped/Shipping Safari has a similar feature as part of >>>> "Intelligent Tracking Prevention" (ITP) >>>> >>>> Firefox: Shipped/Shipping Firefox has a similar feature as part of >>>> "Enhanced Tracking Protection" >>>> >>>> Web developers: <will fill out after explainer publication> >>>> >>>> WebView application risks >>>> >>>> Does this intent deprecate or change behavior of existing APIs, such >>>> that it has potentially high risk for Android WebView-based applications? >>>> >>>> No, we are not proposing to ship this on WebView. >>>> >>>> Debuggability >>>> >>>> We have added support in DevTools Issues to indicate which requests are >>>> being blocked by this feature. >>>> >>>> We also have >>>> chrome://flags/#enable-fingerprinting-protection-blocklist-incognito which >>>> developers and users can use for testing suspected breakage even before we >>>> ship. >>>> >>>> Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, ChromeOS, Android, and Android WebView)? >>>> >>>> No. We plan to launch this on all Blink platforms except WebView. >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>> ? >>>> >>>> We are exploring ways to test this feature via WPT. This isn’t possible >>>> today given the implementation-defined nature of blocked resources. Some >>>> explorations are discussed here >>>> <https://explainers-by-googlers.github.io/script-blocking/#testing>. >>>> >>>> Flag name on about://flags >>>> >>>> chrome://flags/#enable-fingerprinting-protection-blocklist-incognito >>>> >>>> Finch feature name >>>> >>>> EnableFingerprintingProtectionInIncognito >>>> >>>> Rollout plan >>>> >>>> (RARE) Experiment users ramp up over time >>>> >>>> Requires code in //chrome? >>>> >>>> False >>>> >>>> Tracking bug >>>> >>>> https://issues.chromium.org/issues/431761692 >>>> <https://issues.chromium.org/issues/370696608> >>>> >>>> >>>> Launch bug >>>> >>>> https://launch.corp.google.com/launch/4367306 >>>> >>>> Estimated milestones >>>> >>>> Shipping on Desktop >>>> >>>> 140 >>>> >>>> Shipping on Android >>>> >>>> 140 >>>> >>>> Anticipated spec changes >>>> >>>> Open questions about a feature may be a source of future web compat or >>>> interop issues. Please list open issues (e.g. links to known github issues >>>> in the project for the feature specification) whose resolution may >>>> introduce web compat/interop risk (e.g., changing to naming or structure of >>>> the API in a non-backward-compatible way). >>>> >>>> None >>>> >>>> Link to entry on the Chrome Platform Status >>>> >>>> https://chromestatus.com/feature/5188989497376768 >>>> >>>> Links to previous Intent discussions >>>> >>>> Intent to Experiment: >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/NJvGkSvLk8I?e=48417069 >>>> >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFhOYsjkJMw5aXR6T%3DQiiajtqAC0s9uqaWEZYgM6J4hUj5W7fA%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFhOYsjkJMw5aXR6T%3DQiiajtqAC0s9uqaWEZYgM6J4hUj5W7fA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFhOYsjGDTA_6ONhuHAxhg7yi-n9kC2y9JdL5nXtUzjb3FXd2Q%40mail.gmail.com.
