Difference between revisions of "Intelligent Tracking Prevention"
From MgmtWiki
(→Apple) |
(→Problems) |
||
| (8 intermediate revisions by the same user not shown) | |||
| Line 6: | Line 6: | ||
==Context== | ==Context== | ||
| − | * [[Privacy]] of users on the web has been compromised by the | + | * [[Privacy]] of users on the web has been compromised by the use of tracking by third parties that are referenced by the first party, or the party to which the user navigated. |
| + | * The first attempt to block advertiser's tracking of users was blocking third party cookies which could let the advertiser know if they had been accessed in a different session with a different first-party (origin) web server. See the wiki page on [[Cross-Origin iFrame]]s. | ||
* Back in 2017 Apple introduced [https://webkit.org/blog/7675/intelligent-tracking-prevention/ Intelligent Tracking Prevention]] as a means to maintain "user trust. Many users feel that trust is broken when they are being tracked and privacy-sensitive data about their web activity is acquired for purposes that they never agreed to." | * Back in 2017 Apple introduced [https://webkit.org/blog/7675/intelligent-tracking-prevention/ Intelligent Tracking Prevention]] as a means to maintain "user trust. Many users feel that trust is broken when they are being tracked and privacy-sensitive data about their web activity is acquired for purposes that they never agreed to." | ||
| − | * Since then other browsers have been adding similar functionality which is included in this wiki page. | + | * Since then, other browsers have been adding similar functionality which is included in this wiki page. |
* There are only two major browser operating systems which are the focus of this page even though other browsers are enabled on those two platforms. | * There are only two major browser operating systems which are the focus of this page even though other browsers are enabled on those two platforms. | ||
| + | * Also note the other main platform, Microsoft Windows, now supports Chrome as the basis for their Edge Browser. | ||
| − | * | + | ==Problems== |
| + | * Machine learning runs on the user's device to determine which 3rd party web sites are also accessed by user's as first party sites. These sites are excluded from ITP. But sites that are not accessed by the user are partitioned by first party (origin) so that a third party cookie will not be accessible when the third party is accessed by different origins. Many Identity providers are not often accessed directly by the user and so will not be able to see cookies that were created by one origin when accessed by another. This is the very definition of [[Single Sign-On]] identity providers. | ||
| + | * You can test whether your app requires third-party cookies in 2022 by using Chrome in Incognito mode. It has third-party cookie blocking enabled by default. | ||
| + | * To test the impact of ITP you will need to create two servers in different origins (tld+1) domains on a current version of Apple Safari. | ||
| + | * Details of the [[Third Party]] Cookie problems have been collected [https://docs.google.com/presentation/d/1uU3KvK6ayTpjB2OEmrSqQnUdJDPSdfxxetJrks1czvI/edit#slide=id.g11aa5093f19_0_63 here]. | ||
| + | |||
| + | ==Solutions== | ||
| + | If you run a single sign-on system with a centralized session, the user needs to interact with the domain that controls the session. Otherwise, you run the risk of Intelligent Tracking Prevention treating your session controller domain as a tracker. | ||
==Apple== | ==Apple== | ||
Latest revision as of 17:18, 1 September 2022
Full Title or Meme
A means to prevent Third Parties in browser sessions from tracking the user across different first part web sites.
References
- See the wiki page on Redirects for how cookies are handled during a redirection from a first party to a third party.
Context
- Privacy of users on the web has been compromised by the use of tracking by third parties that are referenced by the first party, or the party to which the user navigated.
- The first attempt to block advertiser's tracking of users was blocking third party cookies which could let the advertiser know if they had been accessed in a different session with a different first-party (origin) web server. See the wiki page on Cross-Origin iFrames.
- Back in 2017 Apple introduced Intelligent Tracking Prevention] as a means to maintain "user trust. Many users feel that trust is broken when they are being tracked and privacy-sensitive data about their web activity is acquired for purposes that they never agreed to."
- Since then, other browsers have been adding similar functionality which is included in this wiki page.
- There are only two major browser operating systems which are the focus of this page even though other browsers are enabled on those two platforms.
- Also note the other main platform, Microsoft Windows, now supports Chrome as the basis for their Edge Browser.
Problems
- Machine learning runs on the user's device to determine which 3rd party web sites are also accessed by user's as first party sites. These sites are excluded from ITP. But sites that are not accessed by the user are partitioned by first party (origin) so that a third party cookie will not be accessible when the third party is accessed by different origins. Many Identity providers are not often accessed directly by the user and so will not be able to see cookies that were created by one origin when accessed by another. This is the very definition of Single Sign-On identity providers.
- You can test whether your app requires third-party cookies in 2022 by using Chrome in Incognito mode. It has third-party cookie blocking enabled by default.
- To test the impact of ITP you will need to create two servers in different origins (tld+1) domains on a current version of Apple Safari.
- Details of the Third Party Cookie problems have been collected here.
Solutions
If you run a single sign-on system with a centralized session, the user needs to interact with the domain that controls the session. Otherwise, you run the risk of Intelligent Tracking Prevention treating your session controller domain as a tracker.
