If you explain the mechanism of Firefox's tracking prevention measure ``State Partitioning'' in an easy-to-understand manner, it will be like this

Firefox has strengthened its privacy protection function with ``

Firefox 86 '' released in February 2021, and has introduced a new tracking prevention function called `` State Partitioning ''. Mozilla engineer Johann Hoffman explains how this State Partitioning works.

Introducing State Partitioning - Mozilla Hacks - the Web developer blog

Websites that embed third-party cookies can also track the behavior of users after they leave the website, and through behavioral analysis, it is possible to identify user interests and display highly effective advertisements. On the other hand, such tracking (tracking) collects excessive personal information, and in recent years, it is moving toward regulation and abolition from the viewpoint of privacy.

Mozilla, which develops Firefox, has long devised a mechanism to prevent user tracking, and Firefox 85, released in January 2021, also introduced a mechanism to prevent tracking using a new method called super cookies .

Regarding the newly introduced anti-tracking measure `` State Partitioning '' in `` Firefox 86 '', Mr. Hoffman explained, `` First you need to understand how the stateful Web API works '' as a preliminary step. ``Stateful'' means communication that causes login, and Mozilla positions stateful Web API as ``API that saves data such as cookies, sessions, and caches on the device''.

Originally, stateful web APIs were not created for tracking, but for sharing some state among multiple web services, whether first-party or third-party.

In the case of tracking using third-party cookies, by embedding the cookie of the website 'www.tracker.com' as a third-party cookie in the websites 'foo.com' and 'bar.com', 'www.tracker. com' can use the cookie as an identifier to connect your activity on both sites.

Firefox's tracking prevention function '

Enhanced Tracking Protection (ETP) ' blocks access to share State, but ETP blocks based on a list of commonly used trackers, so the list is always up-to-date. And if it's not perfect, you'll end up with an unblockable tracker. Another limitation is that trackers can circumvent the ETP by registering a new domain name, which inevitably results in a cat-and-mouse game.

State Partitioning was developed by Mozilla to address this problem. State Partitioning is a mechanism to prevent sharing of State by third parties without completely blocking cookie access. Shared state such as cookies and localStorage are separated and available only to the website that issued each cookie.

Among them, Firefox uses a mechanism called 'Double Keying' and adds information to the cookie 'when you are looking at which page' and 'where it was given'. As a result, even if the user is viewing a website with the same 'www.tracker.com' third-party cookie embedded, it will be judged as a different cookie and information will not be tracked.

Firefox with Double Keying saves the cookie key for foo.com as 'www.tracker.com^www.foo.com' and the cookie key for bar.com as 'www.tracker.com^bar.com'. As a result, the third-party cookie will lose its function as a tracker that identifies individuals.

This mechanism allows us to use cookies and storage as usual, while providing extensive tracking protection.

On the other hand, using State Partitioning causes the problem that services using third-party cookies such as

single sign-on (SSO) will be interrupted.

For this reason, Firefox's State Partitioning can not separate States only in specific cases, and the Double Keying function will stop when non-separation is enabled. There are two possible cases for Firefox to enable non-isolation:

1. When the embedded iframe calls the Storage Access API
2. Automated heuristic decisions

The Storage Access API is a new JavaScript API proposed by Mozilla to handle anti-tracking 'exceptions'. Mozilla also has a heuristic policy to allow storage access for 'the most common scenarios for using third-party storage on the web.' Non-separation is effective when these two cases apply.

in Software, Posted by darkhorse_log