Ok, thanks for clarifying. LGTM1
On Wed, Jul 16, 2025 at 8:51 AM 'Zainab Rizvi' via blink-dev < blink-dev@chromium.org> wrote: > Hi Chris! We will have a few UI indicators when a resource is blocked: > > 1. The "eye" icon will show up in the Omnibox that will allow users to > disable the feature on a particular top-level site. > 2. There is a toggle in settings for users to disable the feature entirely. > 3. For developers, a dedicated issue will pop up in the "Issues" tab. > 4. For developers, there is a dedicated network error > <https://source.chromium.org/chromium/chromium/src/+/main:net/base/net_error_list.h;l=136?q=BLOCKED_BY_FINGER&sq=&ss=chromium> > in > the "Network" tab. > > On Wed, Jul 16, 2025 at 11:32 AM Chris Harrelson <chris...@chromium.org> > wrote: > >> In case of something breaking: When a script is blocked, is the user able >> to find that out in a site settings dialog? >> >> On Tue, Jul 15, 2025 at 7:59 AM 'Zainab Rizvi' via blink-dev < >> blink-dev@chromium.org> wrote: >> >>> Yes, though Script Blocking in Incognito would have the same observable >>> effect as extensions that block resources, such as ad blockers. The team is >>> also adding monitoring to see if incognito detectability is on the rise due >>> to these features. >>> >>> On Mon, Jul 14, 2025 at 7:23 PM Gregg Tavares <g...@chromium.org> wrote: >>> >>>> Does this enable more detection of incognito mode by sites? >>>> >>>> On Mon, Jul 14, 2025 at 1:08 PM 'Zainab Rizvi' via blink-dev < >>>> blink-dev@chromium.org> wrote: >>>> >>>>> Hi, Alex! This will only be enabled for Chrome's Incognito mode. >>>>> >>>>> On Mon, Jul 14, 2025 at 2:19 PM Alex Russell <slightly...@chromium.org> >>>>> wrote: >>>>> >>>>>> Will this be enabled for all Chromium browsers by default? >>>>>> >>>>>> On Monday, July 14, 2025 at 8:54:57 AM UTC-7 riz...@google.com wrote: >>>>>> >>>>>>> Contact emails >>>>>>> >>>>>>> riz...@google.com, mk...@chromium.org >>>>>>> >>>>>>> Explainer >>>>>>> >>>>>>> https://github.com/explainers-by-googlers/script-blocking >>>>>>> >>>>>>> Specification >>>>>>> >>>>>>> https://github.com/whatwg/fetch/pull/1840 >>>>>>> >>>>>>> Summary >>>>>>> >>>>>>> Mitigating API Misuse for Browser Re-Identification, otherwise known >>>>>>> as Script Blocking, is a feature that will block scripts engaging in >>>>>>> known, >>>>>>> prevalent techniques for browser re-identification in third-party >>>>>>> contexts. >>>>>>> These techniques typically involve the misuse of existing browser APIs >>>>>>> to >>>>>>> extract additional information about the user's browser or device >>>>>>> characteristics. >>>>>>> >>>>>>> To strike this balance between protection and usability, this >>>>>>> proposal focuses on blocking scripts in a third-party context in >>>>>>> Incognito >>>>>>> mode, enhancing Incognito's protections against cross-site tracking when >>>>>>> users choose to browse in this mode. >>>>>>> >>>>>>> This proposal uses a list-based approach, where only domains marked >>>>>>> as “Impacted by Script Blocking” on the Masked Domain List >>>>>>> <https://github.com/GoogleChrome/ip-protection/blob/main/Masked-Domain-List.md> >>>>>>> (MDL) in a third-party context will be impacted. >>>>>>> >>>>>>> When the feature is enabled, Chrome will check network requests >>>>>>> against the blocklist. This feature will reuse Chromium's >>>>>>> subresource_filter component, which is responsible for tagging and >>>>>>> filtering subresource requests based on page-level activation signals >>>>>>> and a >>>>>>> ruleset used to match URLs for filtering. >>>>>>> >>>>>>> 1% Experiment Summary >>>>>>> >>>>>>> Our 1% stable Incognito experiment did not show any statistically >>>>>>> significant movement for Incognito-specific Core Web Vitals. >>>>>>> Furthermore, >>>>>>> we did not receive any breakage reports pertaining to this experiment. >>>>>>> >>>>>>> As the feature is only enabled for third party resources in >>>>>>> Incognito sessions, the sample size is smaller than we typically >>>>>>> observe in >>>>>>> a 1% experiment. We plan to carefully ramp the experiment to evaluate >>>>>>> performance and stability impact before launching to Incognito 100%. >>>>>>> >>>>>>> Blink component >>>>>>> >>>>>>> Blink>Network>FetchAPI >>>>>>> >>>>>>> TAG review >>>>>>> >>>>>>> https://github.com/w3ctag/design-reviews/issues/1114 >>>>>>> >>>>>>> TAG review status >>>>>>> >>>>>>> Closed (resolution: decline) >>>>>>> >>>>>>> >>>>>>> Risks >>>>>>> >>>>>>> Interoperability and Compatibility >>>>>>> >>>>>>> There shouldn’t be any interop concerns. >>>>>>> >>>>>>> In terms of compatibility, this feature is anticipated to have an >>>>>>> impact on websites that rely on scripts from domains identified as >>>>>>> serving >>>>>>> fingerprinting techniques. Sites that integrate third-party scripts from >>>>>>> identified domains may experience functional breakage or render >>>>>>> incorrectly >>>>>>> when accessed in Incognito mode. We are attempting to mitigate this >>>>>>> risk by >>>>>>> applying temporary exceptions if we determine that the intervention on a >>>>>>> particular domain may cause significant user experience impact. >>>>>>> >>>>>>> Gecko: No signal >>>>>>> >>>>>>> WebKit: Shipped/Shipping Safari has a similar feature as part of >>>>>>> "Intelligent Tracking Prevention" (ITP) >>>>>>> >>>>>>> Firefox: Shipped/Shipping Firefox has a similar feature as part of >>>>>>> "Enhanced Tracking Protection" >>>>>>> >>>>>>> Web developers: <will fill out after explainer publication> >>>>>>> >>>>>>> WebView application risks >>>>>>> >>>>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>>>> that it has potentially high risk for Android WebView-based >>>>>>> applications? >>>>>>> >>>>>>> No, we are not proposing to ship this on WebView. >>>>>>> >>>>>>> Debuggability >>>>>>> >>>>>>> We have added support in DevTools Issues to indicate which requests >>>>>>> are being blocked by this feature. >>>>>>> >>>>>>> We also have >>>>>>> chrome://flags/#enable-fingerprinting-protection-blocklist-incognito >>>>>>> which >>>>>>> developers and users can use for testing suspected breakage even before >>>>>>> we >>>>>>> ship. >>>>>>> >>>>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>>>> Mac, Linux, ChromeOS, Android, and Android WebView)? >>>>>>> >>>>>>> No. We plan to launch this on all Blink platforms except WebView. >>>>>>> >>>>>>> Is this feature fully tested by web-platform-tests >>>>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>>>> ? >>>>>>> >>>>>>> We are exploring ways to test this feature via WPT. This isn’t >>>>>>> possible today given the implementation-defined nature of blocked >>>>>>> resources. Some explorations are discussed here >>>>>>> <https://explainers-by-googlers.github.io/script-blocking/#testing>. >>>>>>> >>>>>>> Flag name on about://flags >>>>>>> >>>>>>> chrome://flags/#enable-fingerprinting-protection-blocklist-incognito >>>>>>> >>>>>>> Finch feature name >>>>>>> >>>>>>> EnableFingerprintingProtectionInIncognito >>>>>>> >>>>>>> Rollout plan >>>>>>> >>>>>>> (RARE) Experiment users ramp up over time >>>>>>> >>>>>>> Requires code in //chrome? >>>>>>> >>>>>>> False >>>>>>> >>>>>>> Tracking bug >>>>>>> >>>>>>> https://issues.chromium.org/issues/431761692 >>>>>>> <https://issues.chromium.org/issues/370696608> >>>>>>> >>>>>>> >>>>>>> Launch bug >>>>>>> >>>>>>> https://launch.corp.google.com/launch/4367306 >>>>>>> >>>>>>> Estimated milestones >>>>>>> >>>>>>> Shipping on Desktop >>>>>>> >>>>>>> 140 >>>>>>> >>>>>>> Shipping on Android >>>>>>> >>>>>>> 140 >>>>>>> >>>>>>> Anticipated spec changes >>>>>>> >>>>>>> Open questions about a feature may be a source of future web compat >>>>>>> or interop issues. Please list open issues (e.g. links to known github >>>>>>> issues in the project for the feature specification) whose resolution >>>>>>> may >>>>>>> introduce web compat/interop risk (e.g., changing to naming or >>>>>>> structure of >>>>>>> the API in a non-backward-compatible way). >>>>>>> >>>>>>> None >>>>>>> >>>>>>> Link to entry on the Chrome Platform Status >>>>>>> >>>>>>> https://chromestatus.com/feature/5188989497376768 >>>>>>> >>>>>>> Links to previous Intent discussions >>>>>>> >>>>>>> Intent to Experiment: >>>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/NJvGkSvLk8I?e=48417069 >>>>>>> >>>>>>> >>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to blink-dev+unsubscr...@chromium.org. >>>>> To view this discussion visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFhOYsjkJMw5aXR6T%3DQiiajtqAC0s9uqaWEZYgM6J4hUj5W7fA%40mail.gmail.com >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFhOYsjkJMw5aXR6T%3DQiiajtqAC0s9uqaWEZYgM6J4hUj5W7fA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+unsubscr...@chromium.org. >>> To view this discussion visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFhOYsjGDTA_6ONhuHAxhg7yi-n9kC2y9JdL5nXtUzjb3FXd2Q%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFhOYsjGDTA_6ONhuHAxhg7yi-n9kC2y9JdL5nXtUzjb3FXd2Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFhOYsieQ5z%3DKQEOQ_ELRSXHW1-agGASiD0aaVpkCku_BR%2BL%2Bg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFhOYsieQ5z%3DKQEOQ_ELRSXHW1-agGASiD0aaVpkCku_BR%2BL%2Bg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-WO%3DLD3JeHnD3Bz%2BfO2YACZfFaaCAv2VzERBNP23fmNw%40mail.gmail.com.