WingNews logo WingNews
top | item 41108455

(no title)

cosmie | 1 year ago

> Websites will just add a CNAME entry that points to whatever service they were using before. Then it's a second party (subdomain) cookie.

A lot of tracking prevention mechanisms have started baking in CNAME uncloaking in the last few years precisely for that reason. Safari/WebKit[1], Brave[2], uBlock Origin (on Firefox only)[3], and NextDNS[4] just to name a few.

At this point the industry has moved onto straight up reverse proxying so it's all first party context. In milder instances it's in the form of server-side tagging[5] (which isn't a true reverse proxy, but can easily be used as one). But at least in those instances the website operators are the ones that typically own the server-side tagging process and have oversight/control/visibility into what they're putting in place.

But that has a high bar for implementation and relatively few companies have the resources or competence for that sort of thing. So it's much easier to persuade website operators to put a pure, dumb reverse proxy in place that gives them an endpoint under the first party domain to load resources from and send hits through[6]. Including being able to use HTTP set-cookie headers in the responses, while they're at it. Which is coincidentally the only long-lived cookie that still exists in Safari/WebKit, since things like "Keep me logged in" functionality would break if they started auto-purging those too.

If it's written in javascript, it's gone in 7 days even if it's first party. And if it's an HTTP header from a CNAME, it's also gone in 7 days. Only cookies set with an HTTP set-cookie header from a first party context are durable anymore. So that's exactly where advertisers are going into as an end-run in the game of cat and mouse - with surprisingly willing adoption from website operators, who are desperate to get their attribution back and don't quite understand the risk profile it exposes them to when they approve letting a third party operator masquarade so deeply as the website operator itself.

[1] https://webkit.org/blog/11338/cname-cloaking-and-bounce-trac...

[2] https://brave.com/privacy-updates/6-cname-trickery/

[3] https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-b...

[4] https://medium.com/nextdns/nextdns-added-cname-uncloaking-su...

[5] https://developers.google.com/tag-platform/tag-manager/serve...

[6] https://developers.google.com/tag-platform/tag-manager/first...

[7] https://webkit.org/tracking-prevention/ (towards the bottom of the page)

discuss

order

No comments yet.