Skip to content

Browser Tooling for Privacy

Directions:

Safari

Safari lets you debug ITP in macOS Catalina.  So you need access to a Mac to troubleshoot this.

Firefox

As of October 22nd, Firefox has announced it has blocked 450 billion tracking attempts across its user base. They’ve released a blog discussing all the new privacy tooling which was enabled with the release of Firefox 70.  They’ve also announced they block over 2,000 tracking domains.

Additionally, in the developer console they have messaging:

Request to access cookie or storage on “<URL>” was blocked because it came from a tracker and content blocking is enabled. (Number of Trackers)

This is a collection of all the tracking requests which were denied access to storage, and if you extend it, you’ll get messages such as:

Request to access cookie or storage on “https://adservice.google.com/adsid/integrator.js?domain=xxxxx” was blocked because it came from a tracker and content blocking is enabled.

Then it becomes a process of mapping the domains listed in the console, back to their respective tags.  At this point, unless you have a very good understanding of what that powers on the vendor’s side—it’s likely a good time to have a discussion about the impact of the cookie not being present.

Edge

In the upcoming release of Edge anti-tracking tech will be enabled by default, resulting in behaviour very much like Firefox.  Trackers will be denied access to cookies and storage if they are on the list that Microsoft is using for trackers.

In the case of Edge the developer console is also used to determine what is being blocked, the message would look something like this:

(Number of Trackers) Tracking Prevention blocked access to storage for <URL>.

Expanding that collection of URLs results in a familiar message (URL used is an example):

Tracking Prevention blocked access to storage for https://ads.pubmatic.com/AdServer/js/user_sync.html?xxxxx.

Just like with Firefox, it becomes an exercise of matching the blocked URLs with the tag vendors, then asking the vendors as to the severity of the impact.

Chrome

Chrome blocks the least information of the browsers, but is coming down on cookies shared in 3rd party context. 

Let’s open up our trusty developer console on our website and see what awaits us. A different message—in alignment with what the Chrome team is doing:

(Number of Cookies) A cookie associated with a cross-site resource at <URL> was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.

Expanding that collection results in:

A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

So again, it’s an exercise in matching the URLs from the collection with various tag vendors and reaching out to them to determine impact.