Third-party cookies: can’t store be blocked? Brave browser approaches the projectile

Since the first release, Brave has been implementing the most aggressive policy of all browsers regarding third-party cookies and other data – we make third-party storages (both cookie storage and localStorage / indexedDB) unavailable by default. However, entering with such a trump card not only powerfully increases the level of user privacy, but also breaks a lot of sites. Here’s our recipe for storing, sorting and issuing cookies.

No third-party entry is allowed

From ancient times to the present day, tracking by sites of user actions, by and large, is based on the exploitation of one of the oldest evils of the Internet – third-party (in a foreign language, third-party) data: cookies, records in localStorage, etc. Of course, in ancient times, few would have imagined that browser cookies would feed the heartless octopus of the surveillance and ad network industry, and that subscriber privacy would be donated to the glory of Big Data owned by Big Corporations.

As already mentioned, simply blocking third-party cookies is a controversial decision, as it interferes with the normal operation of many regular sites. Moreover, important scenarios often break down: the entrance to the site or the payment process. The fact is that until recently, the main browsers allowed these storages to work without any restrictions – accordingly, sites do not expect a catch or inaccessibility of third-party data. This lack of restrictions allows all types of analytical scripts, tracking pixels and ad networks to give your browser a unique cookie and keep a log of its activity (in chrome browsers, cookies can be seen on the page chrome: // settings / siteData)

Example

Shop.com, school.edu and bank.ru add a tracking pixel to their pages https://trackingcorp.com/track.gif”>. On the first request for this pixel, trackingcorp.com will save a cookie with a unique number in the browser. On subsequent requests from the websites of the store, school and bank, the trackingcorp server will record the history of visits for this number and sell it to everyone for a handful of dollars.

Until recently, we were balancing between maintaining privacy and ensuring the correct operation of sites through all sorts of sorcery, installation of crutches and script injection. Some sites simply had to be added to the exclusion list, otherwise they would refuse to work. This more or less helped to defend our users, but strategically it is a deeply flawed approach that does not solve the problem as a whole.

Through the efforts of our best minds (and through observations of other browsers on the market), an “ephemeral” storage of third-party data was invented – a new design that does not feed trackers, ad networks and the Good Corporation with user data, and at the same time breaks visited sites much less often. At the time of publication, we have enabled ephemeral storage in beta and are rolling out to users of the release channel.

What is the strength

Ephemeral web storage is essentially a combination of data storage solutions, each of which we will describe in more detail, with the proviso that some points may be revised based on the results of the work.

1. No cookies for requests for resources (pictures, scripts, etc.) on third-party domains. Brave sends cookies on requests to subdomains of the current site (for example, sub.habr.com), but if this is a cross-origin request (for example, for evilcorp.com/tracking_pixel.gif), no cookies will be issued.

2. Partitioned (that is, split) storage for third-party frames. Scripts that are executed in such frames can access the document cookie, localStorage or sessionStorage API (the rest of the APIs are still completely disabled for third-party requests, as before), but in fact they will be provided with different storages. For example, if the trackingcorp.com frame is embedded in example.org and other.org, then two repositories will be created: one for trackingcorp.com + example.org and one for trackingcorp.com + other.org. This eliminates the possibility of storing a unique cookie in the browser (or an entry in localStorage) of the trackingcorp.com name.

3. On the same site, all entities use the same repository. For example, you have two site tabs open, first.example.org and second.example.org, each tab has a YouTube video frame. Both frames will refer to the same repository. But if the same YouTube frame is embedded in other.org or the same video is open on one of the tabs on the YouTube website, neither the one nor the other frame will see the example.org repository, because it is not supposed to.

4. All third-party stores for the first-party site are cleared as soon as the last tab with that site is closed. Accordingly, third-party frames, which we talked about in the examples above, lose data in these storages. As long as at least one page is open for this site, third-party storage for frames exists. If you close the last one and reopen it, new, empty storages will appear.

5. After closing the browser, all segments of all third-party storages are cleared. Even with tab recovery enabled, after a restart, the storages will be new. This approach is the same as the algorithm browser fingerprint randomization in Brave, which we will talk about in the next series.

So far, we can only partition cookies and localStorage, indexedDB and other APIs are on the way – for example, we will have to integrate with the Storage Access API (which the Edge team implemented in Chromium).

What do other browsers have?

The pioneers of third-party storage partitioning are Safari and Tor Browser, which we were inspired by. Unlike Safari, Brave cleans up third-party storage when the site is closed, not the entire browser, which significantly increases protection – many users rarely restart the browser.

Partitioned storage (unlike us, not ephemeral, but persistent) for defense against supercooks was made in Firefox. Chromium is catching up in this area – today it contains only the cache is partitioned, and work is in progress on other components. Since 2019 Firefox blocks third-party cookiesbelonging to the domains of well-known trackers. More recently, the authors of Chromium announced full ban third-party cookies – this process will take a long time, but there will be less one historical mistake on the Internet.