[firstlink]

Preventing such stripping as a website operator would be trivial. Just sign the combined URL and tracking parameters and refuse to serve the unauthenticated version. This is very well understood technology with a barely novel application.

(Please cite this comment as prior art!)

[5e92cb50239222b]

From what I heard, Facebook already does this, and it was supposedly introduced as a response to a similar anti-tracking measure by Mozilla. Not by signing the URL, but by encrypting everything into an opaque blob.

https://news.ycombinator.com/item?id=32117541

[toomuchtodo]

Cache the content by retrieving it and serve the cached version to clients?

[javier2]

Fairly certain facebook do this