Open Bug 1853117 Opened 1 year ago Updated 10 months ago

Revert query-stripping allowlist for googleadservices.com

Categories

(Core :: Privacy: Anti-Tracking, task)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
task

Tracking

()

People

(Reporter: pbz, Unassigned)

References

(Blocks 1 open bug)

Details

Breakage bug for which this skiplist entry is being added (also add in "Depends on"): Bug 1853049

Tracking protection feature(s) to be skiplisted: query-stripping
Pattern to be skiplisted: googleadservices.com

Timeline of intervention (See our timeline policy): 3 months
Planned steps to resolve intervention (e.g., outreach, technical fixes, policy fixes): Outreach to Google

I ran some tests and it seems to be working without the glcid now.

What's the best way to change Firefox so I can test this locally?

(In reply to Mike Kaply [:mkaply] from comment #1)

I ran some tests and it seems to be working without the glcid now.

What's the best way to change Firefox so I can test this locally?

We have a local test pref but that can't revert allowlist entries coming from RemoteSettings.
You can install the remote settings devtools from here and switch to "Stage (preview)" using the extension page (click on the extension icon). I've removed the allow-list entry there. To make sure you have the latest list from remote settings I recommend to press the "force sync" button for the "main-preview/query-stripping" item.

Flags: needinfo?(mozilla)

I verified this still doesn't work. (I guess I was testing wrong)

I'm unclear as to what we think reaching out to Google would do.

I'm sure there answer will be "glcid is needed for redirect"

Flags: needinfo?(mozilla)

I managed to strip "gclid" by also removing the "sig" parameter...

So if you stripped glcid and sig it redirected?

I'm still not convinced we want to do this, though.

Right, without both attributes, the link works. With "sig", it's busted. At a guess, it looks like Google is trying to add integrity protection to these links with "sig", but not enforcing a rule that says that links need to be integrity protected. For instance, it is possible that stripping "sig" has an effect that we cannot observe, like causing the ad click to be disregarded for attribution purposes because it looks more like click fraud. But that's pure speculation.

For the case of a link that goes from google.com to googleadservices.com, loosening the restriction ultimately doesn't help tracking end-to-end, it only allows google and their ad systems to be synchronized. Google could have made the link destination same-site, where we don't bother to strip decorations (of course, this might not be easy because there are likely other, good reasons for this being cross-site).

Another observation is that the link that is produced from the redirector contains the following: "&_x_ns_wbraid={wbraid}&_x_ns_gbraid={gbraid}". That suggests something, but I'm not sure that it is very useful, except perhaps as an indicator that "x_ns[gw]raid" is worth looking into more.

After more investigation, we have decided to keep the allow-list entry for query stripping for googleadservices.com for now. Without it, some links from Google search results break and leave the user stranded, and Google seems unlikely to help address this.

We’re comfortable doing this because for search results the allow-list entry does not meaningfully reduce privacy protections: While we don’t strip gclid in the initial redirect from google.comgoogleadservices.com, we still strip it before navigating to the destination page. So the unique identifier is only used to synchronise two internal Google systems (which they could easily do some other way) and cannot be used for cross-site tracking between Google and the destination site.

Example:

Without allow-list entry:

google.com/?gclid=x → googleadservices.com/?gclid=x → example.com

With the allow-list entry in place:

google.com/?gclid=x → googleadservices.com/?gclid=x → example.com/?gclid=x

When the user is redirected through googleadservices.com anywhere else on the web, e.g. by clicking on an ad, gclid may still be transmitted.
We regularly clear cookies for googleadservices.com and other trackers on the Disconnect list with redirect tracking protection and are working on an improved version in Bug 1839915.

This allow-listing can be disabled along with our other anti-tracking web compatibility features, though this of course may lead to more sites breaking.

You need to log in before you can comment on or make changes to this bug.