Steps to reproduce:
- Go to https://senglehardt.com/test/ads/facebook_conversion.html?fbclid=IwAR0xGU9TqQTWKR0ZFtrb3WN7PlDE77eRx267VGvM0OhXwg78u0XPzddWINc.
- Click on "Click me to go to englehardt-tracker.com".
In Storage Inspector (devtools) after step 1, you'll have an "_fbc" cookie on senglehardt.com with a specific value (e.g.
fb.1.1563910520903.IwAR0xGU9TqQTWKR0ZFtrb3WN7PlDE77eRx267VGvM0OhXwg78u0XPzddWINc). After step 2, for englehardt-tracker.com, you will also have an "_fbc" cookie with the exact same value set. A cross-site tracking identifier has been established by Facebook.
This circumvention works through the code that is embedded in englehardt-tracker.com through this script: https://connect.facebook.net/signals/config/727812094219915?v=2.9.1&r=stable (Script A, fetched on July 23rd 2019). Inside that script Facebook starts by reading
document.referrer (which is
https://senglehardt.com/test/ads/facebook_conversion.html?fbclid=IwAR0xGU9TqQTWKR0ZFtrb3WN7PlDE77eRx267VGvM0OhXwg78u0XPzddWINc, Attachment B) and then passing that to a function that decodes the
fbclid argument out of the URL (see Attachment C). Then the code parses out any existing
_fbc cookie and tries to update the value it reads from there with the newly captured dat (see Attachment D) and finally it writes it to the cookie database (see Attachment E & F).
fbclid link decoration tag is used in order to perform ad conversion measurement by rewriting ad hyperlink href locations when the user is on
www.facebook.com (as well as other outbound hyperlinks on that website). The link decoration tag is read from
location.href through another code path. However, the mechanism outlined above allows for propagation of this identifier in the scenario where the user browses from facebook.com, clicks on an ad to go to
a.example, and from there clicks on a hyperlink to go to
b.example. Specifically this mechanism allows tying the visit to
b.example with the visits to
a.example as well as
facebook.com. The latter is required for the purpose of ad click conversion measurement, but the former is not. Therefore, this mechanism is viewed as a circumvention of ETP under this clause of our Anti-Tracking Policy.
As per that policy, I'm proposing to deploy a fix against this circumvention, by doing the following:
- When document.referrer is accessed, if the referrer URL includes an
fbclid link decoration URL parameter, trim it down to the eTLD+1.
This is compatible with the mitigation that WebKit recently took against a similar attack (see https://bugs.webkit.org/show_bug.cgi?id=198227).