255450 2023-04-14 05:29:08 -0700 ITP Bounce tracking defense not efficient enough 2023-04-14 16:52:51 -0700 1 1 1 Unclassified WebKit New Bugs Safari 16 Mac (Apple Silicon) macOS 13 NEW InRadar P2 Normal --- 1 webkit.gently881 webkit-unassigned sihui_liu webkit-bug-importer wilander oldest_to_newest 1948763 0 webkit.gently881 2023-04-14 05:29:08 -0700 Hello, I contact you because I noticed adtech companies selling their Safari deterministic cross-domain tracking capabilities. From Taboola some time ago (cf. this thread https://twitter.com/WolfieChristl/status/1356547088692240386) to First.id (cf. this thread https://twitter.com/pixeldetracking/status/1645123172671389696). When I noticed Taboola tracking and read John Wilander answer https://twitter.com/johnwilander/status/1356638414880215040, I assumed I was protected (and I remembered Criteo tried this a long time ago, without success). But then, I noticed that Safari didn't flag first-id bounce tracking if the user only consulted one, two or three different websites using first-id.fr tracking. It wasn't until the fourth website that first-id.fr was flagged by ITP (cf. this thread https://twitter.com/pixeldetracking/status/1646816439486099463). And in some circumstances, Safari might even not flag the website after 4+ domains (first-id made this video to "prove" their tracking was efficient: https://www.youtube.com/watch?v=cDKc7xALi1w). Here are a few of the websites with first-id tracking. If you click on one of the website links (for the bounce tracker to be triggered, you have to consult 2 pages), and accepting cookies if you see the consent pop-up (but this pop-up might be dependant on you being in European Union): - allocine.fr - marmiton.org - liberation.fr - aufeminin.com - doctissimo.fr - marieclaire.fr - capital.fr - jeuxvideo.com Their website: https://www.first-id.fr/ As they are not the only one, Taboola is using the same mechanism, I am afraid a few other adtech companies might also rely on this "ITP limitation". ITP bounce tracking defense is working well if the user consult enough websites with first-id.fr tracker included, but I would have assumed ITP was protecting me from their tracking even if I only consulted 2 different domains, hence this bug filling. Thanks in advance 1948909 1 webkit-bug-importer 2023-04-14 16:46:36 -0700 <rdar://problem/108071412> 1948912 2 wilander 2023-04-14 16:52:51 -0700 Thanks for filing! Yes, there is a fan-out threshold for classification of a domain. We'll take your feedback into consideration.