Don't block domains by etld+1 for non-cookie tracking. #1527
Comments
|
related to #1505 |
ghostwords
added
enhancement
heuristic
|
Some more context from badger sett: All 70 of those trackers used the 'toDataURL' function to do the fingerprinting (https://github.com/EFForg/privacybadger/blob/master/src/js/contentscripts/fingerprinting.js#L307). Since we are already wrapping this function in all third-party IFrames, we could have it return some harmless value instead of a meaningful data URL when the IFrame is cookieblocked. I think this would be a relatively small change -- will put together a pull request proof of concept at some point. This isn't a great long-term solution, but it might be a good stopgap that doesn't involve fundamental changes to the way Privacy Badger's blocking engine works. |
ghostwords
added
the
yellowlist
When we see a 3rd party tracking on a website, we block the etld+1 associated with the 3rd party.
This makes sense when we see cookie tracking, because cookies are scoped by domain.
However it does not make sense for localstorage or fingerprinting tracking. Localstorage tracking is scoped to a domain. Fingerprinting tracking is probably most easily associated with URLs (or something like them).
An example of how this might be a problem:
https://cdn.jsdelivr.net/fingerprintjs2/1.5.,1/fingerprint2.min.jsjsdelivr.netjsdelivr.netto the cookieblock list (it is actually on there)So we didn't actually fix anything.
It is hard to tell how big of an issue this is, since we don't get information about why a thing was blocked (related to #1289 #963), but we should keep this in mind as we develop a new
action_map.The text was updated successfully, but these errors were encountered: