TAG spec review of Stateless Bounce Tracking Mitigations

[MrPickles]

こんにちは TAG-さん!

I'm requesting a TAG review of Bounce Tracking Mitigations.

With browser vendors now actively working to remove third-party cookies from the web, some platform trackers are moving to bounce tracking. This technique involves navigating to a tracker domain at the top level of a browser tab, setting a first-party cookie or storing data in the HTTP cache, and then quickly redirecting away using a request that encodes the value of that first-party cookie or contents of the HTTP cache. Bounce tracking semantically functions like setting a third-party cookie. This spec outlines a proposal for mitigating the privacy impact of bounce trackers.

• Explainer: https://github.com/privacycg/nav-tracking-mitigations/blob/main/bounce-tracking-explainer.md and Bounce tracking should mitigate etag/Last-Modified tracking of http cache resources privacycg/nav-tracking-mitigations#41 (comment)
• Specification: https://privacycg.github.io/nav-tracking-mitigations/#bounce-tracking-mitigations
• WPT Tests: https://wpt.fyi/results/nav-tracking-mitigations?label=experimental&label=master&aligned
• User research: N/A
• Security and Privacy self-review: https://github.com/privacycg/nav-tracking-mitigations/blob/main/tag-privacy-security.md
• GitHub repo: https://github.com/privacycg/nav-tracking-mitigations
• Primary contacts:
  • Andrew Liu (@MrPickles), Google, Spec contributor
  • Ben Kelly (@wanderview), Google, Spec author
  • Svend Larsen (@svendlarsen), Google, Spec contributor
  • Anton Maliev (@amaliev), Google, Spec contributor
• Organization/project driving the specification: Google, Privacy Sandbox
• Multi-stakeholder support:
  • Chromium comments: (positive)
  • Mozilla comments: Bounce Tracking Mitigations mozilla/standards-positions#835
  • WebKit comments: Bounce Tracking Mitigations WebKit/standards-positions#214
• Status/issue trackers for implementations: https://chromestatus.com/feature/5705149616488448 and https://chromestatus.com/feature/6299570819301376

Further details:

• I have reviewed the TAG's Web Platform Design Principles
• Previous early design review, if any: TAG spec review of Bounce Tracking Mitigations #862
• Relevant time constraints or deadlines: Q1 2025
• The group where the work on this specification is currently being done: PrivacyCG
• The group where standardization of this work is intended to be done (if different from the current group): N/A
• Major unresolved issues with or opposition to this specification: N/A
• This work is being funded by: Google

You should also know that...

This is intended to only cover "bounce tracking mitigations" which is one part of the nav-tracking-mitigations repository. (The Privacy chairs asked for it to be included this repo and due to Bikeshed tooling support it became a single document. Please disregard other parts of the document other than the section on Bounce Tracking Mitigations.)

This tag review is a continuation of #862. Since then, the spec has evolved to also look for "stateless bounces" (in other words, ignoring the requirement for cookie access) to prevent usage of the HTTP cache as a means to store data. Additionally, Mozilla is positive with the changes.

Note that there are two explainers: one for the original feature and another to explain a modification. Not all of the spec has not been merged and exists as a pull request at the time of writing. Apologies in advance for the inconvenience.

[MrPickles]

Also cc @Trikolon and @bvandersloot from Mozilla as FYI.