ITP: A Timeline of the Ongoing Struggle Between Marketers and Developers: Part 2

by Ricardo Cristofolini

The Present – New tracking features, new ITP enhancements

Last week I posted the first in a three-post article about Intelligent Tracking Prevention (ITP) and its evolution. Part 1 focused on the past – it began with the inception of ITP in June 2017 and looked at the many changes and updates that occurred between then, and December 2019 where that article ended. In this article, I’m focused on the present, where does ITP stand today? If you haven’t yet, I recommend reading Part 1 before continuing.

Mar 24, 2020

WebKit kept working on the latest discoveries in the industry around tracking. This time, updates related to full third-party cookie blocking, not only affected the cookies, but also other browsers a well.

For three years WebKit has been working on upgrading ITP rules, and at this point, most third-party cookies are already blocked in Safari. To continue with this evolution, they shipped the Storage Access API two years prior to providing the means for authenticated embeds to get cookies access with mandatory user control. This is currently going through the standards process in the W3C Privacy Community Group.

W3C? What does that mean to me?

For the sake of context (and because knowledge is power), W3C (World Wide Web Consortium) helps check the validity of Web documents. Most web documents are written using markup languages, such as HTML and XHTML. These languages are defined by technical specifications that usually include a machine-readable formal grammar (and vocabulary).

Having a W3C validation helps you rank in search engines. It’s pretty basic that errors in your code can affect site performance and also make a big impact on SEO and search engine checks.

W3C Privacy is part of this. It coordinates standardization work to improve support for user privacy on the Web and develops a general expertise in privacy-by-design for Web standards. In other words, W3C works to create standards for sites and having the privacy standards approved would make browsers and developers move faster to comply and push modifications live, consequently making marketers’ lives a nightmare.

Other browsers following the same path

This is a big deal because it paves the way for other browsers that are already following, implementing, and updating the ITP restrictions. Tor Browser has featured full third-party cookie blocking by default even before Safari, Brave has a few exceptions left in its blocking. Chrome as well is working on making third party cookies obsolete.

Removes Satefulness from Cookie Blocking

Not only that, it also presented the removal of statefulness from cookie blocking. Internal state of tracking prevention could be turned into a tracking vector. Having third-party cookies fully blocked makes sure there’s no ITP state that can be detected through cookie blocking behavior.

Login Fingerprinting

This update disables login fingerprinting which was a technique used by websites to invisibly detect where you are logged in, it is viable in any browser without full third-party cookie blocking.

All of that based only on blocking third-party cookies. And there’s probably more to come.

How are browsers currently dealing with ITP and Privacy?

The browers following the same path as Safari are Brave, Chrome, Edge, and Firefox as far as we know. There are many browsers on the market, but these, based on research, are the major players. Each has their own set of default rules and protection. However, we can’t ignore that since 2017, there were a lot of updates regarding browser privacy policies. Here, we’re going to focus on a few we believe are the most relevant and impactful, by browser.

Brave

To start, Brave has the default protection mode as Default Shield Settings. In Brave’s world, Shield has what they call a protection option available. If no modification is made, Brave will:

  • Block most ads and trackers that come with them.
  • Throw away cookies other than those from the sites you actually visit.
  • Make browses harder to recognize and follow without cookies.
  • Upgrade you to secure connections whenever sites support them.
  • Block malicious code and malicious sites – like those trying to use your computer to mine cryptocurrencies.

Edge

Per the Microsoft Privacy Statement, Microsoft explains the data they process, how they do it and for what purposes. It seems to be balanced as they don’t block everything, but at the same time don’t allow everything. However, if users want to have more control over Tracking Prevention, Edge has options that go from Basic, Balanced (recommended), and Strict.

Not only that, but you can also see the blocked trackers, how many times it happened, add exceptions, or set to ON the “Always use “Strict” tracking prevention” option.

Firefox

Firefox follows the same idea as Edge when it comes to providing users with options on how and when to block trackers. It’s categories are  Standard, Strict, and Custom:

Safari

Safari – the reason why all of this happened **laughs**. Nothing much to add here. This browser uses the ITP enabled by default and right when you open the browser shows information on ITP, personalization, privacy, and more.

Navigating to the Privacy Configurations, you’ll find:

Cookies in 1st Party Context

We don’t need introductions for the 1st Party cookies. However, ITP and browsers are showing no mercy, even with these.

Brave

Has an expiration set to 7 days on cookies set with document.cookie.

Chrome and Edge

No restrictions (for now).

Firefox

Is purging all storage from known trackers daily, unless the user has interacted with the site in first-party context within the last 45 days.

Safari

Two rules are being applied here.

  • For cookies set with document.cookies, expiration is set to 7 days.
  • For cookies set with document.cookies, expiration set to 24 hours on pages with URL decoration (query parameters or fragments) when the referring domain is a known tracker.

Referrer

Just to refresh our memory, Referrer is URL referrer which is the address of the webpage where a person clicked a link that sent them to a destination page. In other words, it’s the webpage that a person was on right before they landed on the destination page.

Here, as previously mentioned, browsers are also looking to protect users’ privacy.

Brave

This browser deals with three specific referrer rules:

  • Cross-site referrers are spoofed (set to the referred-to rather than the referred-from origin) in non-navigational HTTP requests. That means, if a page on https://example.com/page requests a resource from https://example2.com/image.jpg, the referrer header in the HTTP request will be set to https://example2.com only rather than the first site, https://example.com, as is the typical behaviour.
  • Cross-site referrers are stripped in navigational HTTP requests. That means, for top-level navigation, when a user clicks a link from https://example.com/page to https://example2.com/another-page, the referrer header is removed from the request. The result will be https://example2.com only.
  • Same-site navigation preserves the referrer as in https://example1.com/blog to https://example1.com/blog/post, the referral would be https://example1.com/blog

Chrome and Edge

Both of these use a Default Browser Policy, which means that for cross-origin requests (sub.domain.com to othersub.domain.com or sub.domain.com to sub.otherdomain.com) the Referer HTTP header and document.referrer JavaScript API are truncated to show just the origin of the website making the request. Thus, a page such as https://www.example.com/some-page?param=value would show up just as https://www.example.com in the referrer records.

Firefox

For requests to known tracker domains, Firefox uses the same idea as the Default Browser Policy mentioned above for Chrome and Edge. However, other requests follow the no-referrer-when-downgrade rule which sends a full URL along with the requests.

Safari

First-party cookies are restricted to 7 days since the last interaction (click, tap, text input) with the site. The browser also downloads document.referrer to origin in cross-site navigation. Furthermore, if the referring domain is a known tracker, and if the referring page has query parameters (?key=value) or fragments (#somevalue), the document.referrer property is downgraded to an effective top-level domain plus one part (eTLD+1). Thus a request originating from https://sub.classificed.domain.com/page?userId=abc1234 or https://sub.classificed.domain.com/page?userId=abc1234#somepart would end up as https:domain.com in the document.referrer property of the landing page.

Conclusion

In conclusion, I think we will be seeing tracking protection measures for the next couple of years for sure. All of the changes we’ve seen so far, and the new updates to come, will have a major impact on things like web development, advertising and marketing, digital analytics, and optimization of user experience. Despite the fact that a few browsers are working on ways to implement ITP rules 100% without user interaction, (Safari is the perfect example as it blocks ALL third-party cookie access and does not let users control how ITP works, or give any options), other browsers are still relying on the user to decide what they want, or do not want to block. Cross-site tracking blocking, automatic connections upgrade to HTTPS, script, and cookie blocking are only a few of the options users have power over.

Either way, we are moving into a cookieless world. In the past, we wanted to know who our users were, now we have to look at what they are doing regardless of who they are. If you haven’t started thinking of a strategy around how to deal with these changes, I strongly suggest you do so.

Want some help on where all of this is taking us? Don’t miss Part III of this ITP trilogy – What to Expect For the Future.

Ricardo Cristofolini

Implementation Specialist

I’m passionate about what I do. If you meet my manager or co-workers, they would say I’m a team player, engaged and always excited to learn something new. Like everyone else I have some flaws. However I’m not afraid to work around those to bring the best in myself and for the company.

See more posts from Ricardo