[om2]

It's actually pretty hard to do this. You still need some way to consistently identify the same user across different sites. Stateful tracking, fingerprinting, and link decoration are the only ways we know of to do this and we have our sights set on all of them.

[ec109685]

Isn’t link decoration an intractable problem? Ban query params and people switch to matrix params. Ban that and they subtly include it in the seo friendly text, band that and…

It just seems somewhat wrong that a browser with a huge market share doesn’t use any standards / rfc process and invents new ways of blocking tracking / breaking agreed upon specifications from release to release in isolation.

[om2]

We have a partial mitigation and it does not involve stripping query params.

We'll be doing more stuff in standards first / in parallel now that more browsers are actively engaged in reducing tracking.

A lot of the more extreme thing we'll only do for sites that we've classified as a tracker. Other browsers put identified trackers in all kinds of penalty boxes that aren't fully defined by standards yet. (We happen to do the identification using machine learning instead of a curated block list.)

[ec109685]

I guess this is what the article’s main point — putting sites on notice that no matter how much they obfuscate their cross-site linking practices, WebKit can always hard code mitigation’s for that site.

If social.example links to blog.example, limit cookie storage to 24 hours, no matter what is in the link.