Cross Site Tracking Prevention Explained

Author

Reads 211

A woman makes a secure online payment using a laptop and credit card in a cozy setting.
Credit: pexels.com, A woman makes a secure online payment using a laptop and credit card in a cozy setting.

Cross site tracking prevention is a crucial aspect of online security, and it's essential to understand how it works. Cookies are small files stored on your device by websites you visit, and they can be used to track your browsing behavior.

These cookies can be used to create a profile of your online activities, which can be shared with third parties. This is where cross site tracking prevention comes in – it's designed to prevent websites from sharing your browsing data with other sites.

Cookies can be classified into first-party and third-party cookies. First-party cookies are set by the website you're visiting, while third-party cookies are set by external services like advertisers or analytics tools. Third-party cookies are the ones that can be used for cross site tracking.

The main goal of cross site tracking prevention is to block third-party cookies from being set or shared. This is achieved through various techniques, such as blocking third-party cookies altogether or allowing them only for specific websites.

What It Is

Credit: youtube.com, What Is Prevent Cross-Site Tracking In Safari? - Be App Savvy

Cross-site tracking prevention is a complex process, but let's break it down. It's essentially a system that identifies and blocks websites that engage in cross-site tracking.

To classify a website as having cross-site tracking capabilities, ITP (Intelligent Tracking Prevention) collects statistics on resource loads and matches it with known patterns of cross-site tracking.

One pattern is showing up as a third-party resource under several first-party websites. This is a red flag for ITP, which uses a machine learning model to decide when this pattern leads to a classification of cross-site tracking.

Here are the specific metrics that ITP uses to detect this pattern:

  • The number of unique websites a domain has been seen as a third-party subresource under.
  • The number of unique websites a domain has been seen as a third-party iframe under.
  • The number of unique websites a domain has been seen doing cross-site redirects under.

Another pattern that ITP detects is top frame redirects, often referred to as bounce tracking. ITP counts the number of unique such redirects that a domain does, and classifies it based on that number.

Tracker collusion is a third pattern that ITP detects. If a domain is classified as having cross-site tracking capabilities, a check is made to see which other domains have previously redirected to it, and all of those domains get classified too.

Recommended read: Tracking Number Online

When It Becomes Problematic

Credit: youtube.com, How To Turn Off Cross Site Tracking On iPhone

Cross-site tracking can be problematic when you don't know what's happening with your data. Those third parties, like data brokers, affiliate networks, and advertising networks, collect information about your browsing habits without your consent.

Cookies and other data tracking methods are used to collect this information. You might not even realize it's happening, but it's like having a digital shadow following you around the web.

Not knowing who sees your data and who it's shared with is a major concern. Transparency is key, and without it, you're left in the dark.

The General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) are taking steps to address these concerns. Websites are now required to provide users with opt-in consent forms before collecting personal user data.

To take control of your data, you can check your Chrome browser settings. Here's how:

  • Open the Chrome browser and go to Settings
  • Click Cookies and other site data under the Privacy and security option
  • Turn Send a “Do not track” request with your browsing traffic off

By being informed and taking control of your data, you can make a healthy trade-off between the value of tracking and the data it collects.

Prevention Methods

Credit: youtube.com, Disable Preventing Cross Site Tracking in Safari on Mac

To prevent cross-site tracking, you can optimize your browser settings. Firefox has an in-built feature called Private Browsing with Tracking Protection that prevents third parties from tracking your browsing activity across multiple websites.

To enable this feature in Firefox, go to Settings, tap on the Privacy and Security panel, select the Custom radio button under Enhanced Tracking Protection, and tick the Cookies checkbox (Cross-site and social media trackers is the default setting). This will block third-party cookies by default, with no exceptions.

You can also prevent cross-site tracking on iOS devices by enabling the Prevent cross-site tracking feature in Safari. To do this, go to Settings on your iPhone/iPad, scroll down until you find Safari, tap on it, and turn on Prevent Cross-site Tracking under PRIVACY & SECURITY.

Cookies

Cookies are the primary tools used by websites in the process of cross-website tracking. They are small packets of data transferred to your device's browser, designed to memorize your browsing information and online activity.

Mother protecting eyes of children against digital content
Credit: pexels.com, Mother protecting eyes of children against digital content

Cookies work in a simple manner: the browser requests a web page from the web server, the server transmits the page along with a cookie, and the cookie gets stored in the hard drive of your device. There are different types of cookies, including persistent cookies, first-party or session cookies, and third-party cookies.

Third-party cookies are the ones you should be wary of, as they keep track of your online behavior. You can prevent cross-site tracking by optimizing your browser settings, but it's essential to understand how cookies work.

Cookies can be classified into three types:

  • Persistent cookies
  • First-party or session cookies
  • Third-party cookies

The default cookie policy for WebKit on Apple's iOS, macOS, iPadOS, tvOS, and watchOS is to disallow a third-party from setting new cookies unless it already has cookies. This means that to be able to use cookies at all as third-party, the domain first has to become first-party and set its initial cookie(s) there.

Canvas Fingerprinting

Credit: youtube.com, What Is Canvas Fingerprinting? - Consumer Laws For You

Canvas Fingerprinting is a sneaky way websites can identify you. They do this by making your browser draw a hidden image.

This image varies depending on your device, graphics card, and hardware settings, resulting in a unique image for every user.

HTML5, a coding language developed for animations and graphics, includes canvas fingerprinting as a tracking tool.

The image created is essentially a unique digital fingerprint, providing accurate information when combined with other tracking data.

Websites can direct your browser to draw this image, making it a powerful tool for tracking your online activities.

This technique is often used in conjunction with other tracking methods, making it harder to detect.

Link Detection is a crucial aspect of preventing cross-site tracking. Some trackers add "click IDs" as URL parameters in links and pick them up through JavaScript on the link destination website.

This technique is called cross-site tracking via link decoration. ITP detects such link decoration and caps the expiry of cookies created in JavaScript on the landing webpage to 24 hours.

7-Day Script-Writeable Storage Cap

Close-up of hands holding puzzle lock and timer in escape room setting.
Credit: pexels.com, Close-up of hands holding puzzle lock and timer in escape room setting.

The 7-Day Script-Writeable Storage Cap is a key feature of ITP that helps prevent cross-site tracking. ITP deletes all cookies created in JavaScript after 7 days of no user interaction with the website.

This means that any trackers executing script in the first-party context will have their storage cleared after a week of inactivity. This includes IndexedDB, LocalStorage, Media keys, SessionStorage, and Service Worker registrations and cache.

These storage forms are all script-writeable, meaning they can be modified by JavaScript code. As a result, they're subject to the 7-day cap. It's worth noting that this cap only applies to storage created in JavaScript, not to storage created through other means.

Here are the specific storage forms affected by the 7-day cap:

  • IndexedDB
  • LocalStorage
  • Media keys
  • SessionStorage
  • Service Worker registrations and cache

Intelligent Tracking Prevention

Intelligent Tracking Prevention is a key feature that helps prevent cross-site tracking.

HTTP cache entries for third-party content are partitioned per first-party website, which means that each website has its own isolated cache. This helps prevent tracking across different websites.

Credit: youtube.com, How Safari's new Intelligent Tracking Prevention feature works!

By default, ITP blocks all third-party cookies, with no exceptions - not even for popups or other exceptions. This is a strong measure to prevent tracking and maintain user privacy.

Once a request is blocked from using cookies, all redirects of that request are also blocked from using cookies. This ensures that even if a user clicks on a link or follows a redirect, the tracking attempt is still blocked.

Intelligent Tracking Prevention

Intelligent Tracking Prevention (ITP) is a feature that helps protect your online privacy by blocking third-party cookies. This is a game-changer for anyone who's tired of being tracked online.

HTTP cache entries for third-party content are partitioned per first-party website, which means each website has its own cache. This helps prevent third-party cookies from following you around the web.

ITP by default blocks all third-party cookies, with no exceptions. This means that even if a website tries to sneak in a third-party cookie, ITP will block it.

Credit: youtube.com, What Is Intelligent Tracking Prevention (ITP)?

Once a request is blocked from using cookies, all redirects of that request are also blocked from using cookies. This ensures that even if a website tries to redirect you to a different page, ITP will still block the cookies.

The Storage Access API and a temporary compatibility fix for popups are the only ways to grant third-party cookie access. This is a deliberate design choice to limit third-party tracking.

Blocked Third-Party HSTS

Blocked Third-Party HSTS is a limitation of Intelligent Tracking Prevention.

HSTS can only be set by the first-party website.

This means it's only applied to the current host/domain and the website's registrable domain.

Third-party requests that don't carry cookies don't get HSTS, and since all third-party cookies are blocked by default, so is third-party HSTS.

Home Screen App Exempt from ITP

Home screen web applications are exempt from ITP's 7-day cap on all script-writeable storage. This means that the website data of home screen web applications is kept isolated from Safari and will not be affected by ITP's classification of tracking behavior in Safari.

The first-party domain of home screen web applications is skipped by ITP's website data removal algorithm. This exemption applies to home screen web applications, giving them a unique advantage in terms of data storage and classification.

Related reading: Internet Storage Sites

Tracking Prevention Features

Credit: youtube.com, How to Turn On/Off Prevent Cross-Site Tracking in Safari Browser on iPhone 16 Pro?

If you're concerned about cross-site tracking, there are steps you can take to prevent it.

Firefox has an in-built Private Browsing with Tracking Protection feature that prevents third parties from tracking your browsing activity across multiple websites.

To enable this feature, open the Firefox browser and go to Settings, then tap on the Privacy and Security panel, and select the Custom radio button under Enhanced Tracking Protection to select what to block.

You should also tick the Cookies checkbox (Cross-site and social media trackers is the default setting) and close the about: preferences page.

For iOS devices, you can prevent cross-site tracking by going to Safari > Preferences and tapping on Privacy, then selecting Prevent cross-site tracking.

Additionally, go to Settings on your iPhone or iPad, scroll down until you find Safari, and tap on it, then turn on Prevent Cross-site Tracking under PRIVACY & SECURITY.

Some websites may still engage in tracking even after you've taken these steps, so it's essential to stay vigilant and keep your browser settings up to date.

Here are some common types of script-writeable storage that are deleted after 7 days of no user interaction with the website:

  • IndexedDB
  • LocalStorage
  • Media keys
  • SessionStorage
  • Service Worker registrations and cache

Advanced Defense Mechanisms

Credit: youtube.com, What Is Cross-site Tracking? - SecurityFirstCorp.com

Some websites use a technique called fingerprinting to track users, which involves collecting information about a user's browser and device.

This can include details like screen resolution, browser type, and operating system.

Fingerprinting can be prevented by using browser extensions that block or mask this information.

Cookies are another way websites track users, but there's a way to limit their effectiveness.

By setting a short expiration date for cookies, users can force websites to ask for permission to set new cookies.

This can be done by setting the "Secure" and "HttpOnly" flags on cookies, which prevents JavaScript from accessing them.

Some websites also use pixels to track users, but these can be blocked using ad blockers or browser extensions.

A technique called canvas fingerprinting uses the HTML5 canvas element to collect information about a user's browser and device.

This can be prevented by using browser extensions that block or mask this information.

Terminology and Policy

Cross-site tracking prevention relies on a solid understanding of key terminology. A registrable domain is a website's eTLD+1 or effective top-level domain plus one label, and a website is considered a registrable domain including all of its subdomains.

Credit: youtube.com, How to Enable/Disable Prevent Cross-Site Tracking in Safari Browser on iPhone (iOS 14.4)?

To put it simply, a website is a registrable domain plus its subdomains. For example, news.example is a website, and sub.news.example is also a subdomain of that website.

Cross-site means tracking across different websites, which can occur when a user navigates to a different website or when a website loads subresources from another website. This can happen when a user clicks on an ad on news.example that loads content from adtech.example.

Here's a quick rundown of what we're working with:

  • First-party: news.example is first-party if it loads a subresource from itself.
  • Third-party: adtech.example is third-party if it loads a subresource from news.example.

User interaction, such as a click or tap, is a crucial factor in tracking, but scrolling is not considered user interaction.

Downgraded Third-Party Referrers

All third-party referrers are downgraded to their origins by default. This applies to both HTTP referrer headers and document.referrer.

For example, if the full referrer is https://www.social.example/feed?clickID=123456, it will show up as https://www.social.example/. This means you won't see the full URL with the query parameters.

Terminology and Policy

In Safari, third-party referrers are downgraded to their origins by default. This means that if you click on a link from a social media site, the full referrer will show up as the social media site itself, rather than the specific link you clicked.

Intriguing read: Link 16 Mutual Tracking

Hand Cutting Chocolate Cookie in Half
Credit: pexels.com, Hand Cutting Chocolate Cookie in Half

Classified domains that have not received user interaction in the last 30 days will have their website data deleted. This is done to prevent tracking and maintain user privacy.

If a classified domain has received user interaction but engages in bounce tracking, its cookies may be rewritten to SameSite=strict. This helps prevent tracking and keeps user data private.

To view the Privacy Report in Safari, you can follow these steps:

  1. Go to the Safari app on your iPhone.
  2. Tap , then tap .
  3. Tap Privacy Report .

Terminology

A registrable domain is a website's eTLD+1 or effective top-level domain plus one label, defined in the Public Suffix List.

A website or site is a registrable domain including all of its subdomains, with some considering scheme to also be part of a site, but for our purposes, we consider http and https to be the same site.

Cross-site refers to navigating across different websites or loading subresources from a different website, which can be a concern for tracking.

First-party and third-party websites are defined by their relationship to the user's browser: if news.example loads a subresource from adtech.example, then news.example is first-party and adtech.example is third-party.

Related reading: Video Game News Site

Credit: youtube.com, What are Website Policies? (Privacy Policy, Terms of Service, Cookie Policy)

Third-party cookies aren't a special type of cookie, but rather a situation where content has access to its cookies when loaded from a third-party website.

User interaction includes user clicks, taps, or keyboard entries on a website, but not scrolling.

Partitioning is a technology to isolate third-party storage and stateful web features per first-party website, preventing cross-site tracking.

Ephemeral storage refers to storage that doesn't persist to disk and goes away with the application, such as when the user quits the browser or reboots their device.

Here's a quick reference to some key terms:

  • Registrable Domain: eTLD+1 or effective top-level domain plus one label
  • First-Party: a website that loads resources from itself or its subdomains
  • Third-Party: a website that loads resources from another website
  • Partitioning: a technology to isolate third-party storage and stateful web features per first-party website
  • Ephemeral Storage: storage that doesn't persist to disk and goes away with the application

The default cookie policy for WebKit on Apple's iOS, macOS, iPadOS, tvOS, and watchOS is to disallow a third-party to set new cookies unless it already has cookies.

This means that to be able to use cookies at all as third-party, the domain first has to become first-party and set its initial cookie(s) there.

This default cookie policy has been in effect since Safari 1.0 and is still in effect today as part of the “Prevent cross-site tracking” setting.

Credit: youtube.com, [WebSec2, Video 5] Cookie Policy Definition

This policy is a key part of Apple's efforts to protect user privacy, and it's a good thing to be aware of if you're working with cookies on these platforms.

In practice, this means that if you want to use third-party cookies, you need to first establish a relationship with the user as a first-party, and then you can set cookies and continue to access them.

This can be a bit tricky to work with, but it's a good way to ensure that users have more control over their data and online experience.

Reporting and Browsing

You can review the Privacy Report to see a summary of trackers that have been encountered and prevented by Intelligent Tracking Prevention on the current webpage you’re visiting.

To view the Privacy Report, go to the Safari app on your iPhone, tap , then tap , and finally tap Privacy Report.

iCloud Private Relay helps prevent websites and network providers from creating a detailed profile about you by encrypting and routing your traffic through two separate internet relays.

Credit: youtube.com, How to Disable Prevent Cross-Site Tracking in Safari Browser on macOS Sonoma?

You can turn iCloud Private Relay completely on or off for your iPhone, or turn it on or off for a specific Wi-Fi or cellular network.

Turning iCloud Private Relay off temporarily is also an option, but note that it's not available in all countries or regions.

Cookie Blocking Latch Mode is a feature that blocks all redirects of a request from using cookies, once a request is blocked from using cookies.

Here's a quick rundown of how to access these features:

  1. View the Privacy Report: Go to the Safari app, tap , then tap , and finally tap Privacy Report.
  2. Turn iCloud Private Relay on or off: Go to Settings, and toggle the switch for iCloud Private Relay.
  3. Turn Cookie Blocking Latch Mode on: This is a feature that's always on by default, but you can't turn it off.

Francisco Parker

Assigning Editor

Francisco Parker is a seasoned Assigning Editor with a keen eye for compelling content. With a passion for storytelling, Francisco has spent years honing his skills in the journalism industry, where he has developed a keen sense of what readers want to know. Throughout his career, Francisco has assigned articles on a wide range of topics, including SEO Strategies, where he has helped readers navigate the ever-changing landscape of online search and optimization.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.