[arkadiyt]

Reposting from the other [1] thread:

Basically Safari keeps track of which domains are being requested in a 3rd party context (i.e. I load example.com in my browser and the page loads the facebook sdk - Safari increments a counter for facebook by 1). Once a given domain reaches 3 hits, Safari will strip cookies and some other data in 3rd party requests to that domain.

The problem is that advertisers can use this to fingerprint users: register arbitrary domains, make 3rd party requests to them, and detect whether or not that request is having data stripped. Each domain is an additional "bit" of data.

This is similar to "HSTS Cookies" [2] and also to issues with Chrome's XSS auditor, which is why it was removed [3].

[1]: https://news.ycombinator.com/item?id=22120136

[2]: https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-bro....

[3]: https://twitter.com/justinschuh/status/1220021377064849410

[dang]

Please don't copy/paste comments on HN. It lowers the signal/noise ratio and makes for pain when we go to merge duplicate threads. If you want to refer to something you posted elsewhere, please use a link.

Better still, when you see a split discussion, email hn@ycombinator.com so we can merge them. We'll make sure your comment ends up in the winning thread.

https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

[hurricanetc]

This policy is odd.

The link could die, the text at the link could change, or the comment at the link could be deleted. Not to mention a comment section full of links is ugly and unreadable.

StackOverflow has the exact opposite approach because they don’t want their site riddled with dead links.

How many people will care enough to send an email to have a comment merger? That really isn’t a solution to whatever “problem” this is.

[neonate]

The other article was

https://www.ft.com/content/916a766a-3d27-11ea-a01a-bae547046...

http://archive.md/lhUeF

[mcphage]

Based on that, won't the presence of facebook on the ITP list mean either you go to Facebook, or that you've been to multiple sites that have checked if you go to Facebook? ie, won't these techniques soon end up with all false positives?

[BoorishBears]

If you make random domains that only your site references, and they're on someone's list, then you know it's your site

[mcphage]

You don't need this to determine that someone goes to your site—they're there. This is for tracking people as they go to other sites, and for determining what other sites the people on your site have gone to.

[Wowfunhappy]

Why the counter in the first place? I'd rather they block cookies from any domain I'm not currently viewing.

[_bxg1]

So unlike yesterday's Apple news this is a subtle flaw, not a decision they made

[xenospn]

Seems like it.