CNAME Cloaking and Bounce Tracking Defense
This blog post covers several enhancements to Intelligent Tracking Prevention (ITP) in Safari 14 on macOS Big Sur, Catalina, and Mojave, iOS 14, and iPadOS 14 to address our latest discoveries in the industry around tracking.
CNAME Cloaking Defense
ITP now caps the expiry of cookies set in so-called third-party CNAME-cloaked HTTP responses to 7 days. On macOS, this enhancement is specific to Big Sur.
What Is CNAME Cloaking?
In the eyes of web browsers, the first party of a website is typically defined by its registrable domain. This means that
comments.blog.example are considered same-site and the same party. If the user loads a webpage from
www.blog.example, and that page makes a subresource request to
comments.blog.example, that request will carry all cookies that are set to cover the
blog.example site, including login cookies and user identity cookies. In addition, the response to that
comments.blog.example subresource request can set cookies for
blog.example, and those cookies will be first-party cookies.
Enter CNAMEs. CNAME stands for canonical name record and maps one domain name to another as part of the Domain Name System, or DNS. This means a site owner can configure one of their subdomains, such as
sub.blog.example, to resolve to
thirdParty.example, before resolving to an IP address. This happens underneath the web layer and is called CNAME cloaking — the
thirdParty.example domain is cloaked as
sub.blog.example and thus has the same powers as the true first party.
CNAME Cloaking and Tracking
track.blog.example resolve to
A recent paper from researchers at the Graduate University for Advanced Studies (Sokendai) and the French National Cybersecurity Agency (ANSSI) found 1,762 websites CNAME cloaking 56 trackers in total.
CNAME Cloaking and Website Security
Site owners who set up CNAME cloaking risk full website takeovers or customer cookie hijacking if the CNAME records aren’t properly managed, for instance if CNAME cloaking isn’t decommissioned when no longer in use. It was recently reported that 250 websites of banks, healthcare companies, restaurant chains, and civil rights groups had been compromised through mismanaged CNAME cloaking. In June this year, Microsoft documented these attacks and how their cloud customers should prevent them.
ITP’s Defense Against CNAME Cloaking Tracking
Third-party CNAME cloaking is defined as a first-party subresource that resolves through a CNAME that differs from the first-party domain and differs from the top frame host’s CNAME, if one exists. Yes, the whole site can be CNAME cloaked, when it uses so called edge servers.
The best way to explain this is through a table (1p means first-party, 3p means third-party):
|1p host, e.g. www.blog.example||1p subdomain other than the 1p host, e.g. track.blog.example||Capped cookie expiry?|
|No cloaking||No cloaking||No cap|
|No cloaking||other.blog.example (1p cloaking)||No cap|
|No cloaking||tracker.example (3p cloaking)||7-day cap|
|abc123.edge.example (cloaking)||No cloaking||No cap|
|abc123.edge.example (cloaking)||abc123.edge.example (matching cloaking)||No cap|
|abc123.edge.example (cloaking)||other.blog.example (1p cloaking)||No cap|
|abc123.edge.example (cloaking)||tracker.example (3p cloaking)||7-day cap|
SameSite=Strict Cookie Jail for Bounce Trackers
In June 2018, we announced an update to ITP to detect and defend against first party bounce trackers. In March 2020, we announced an enhancement to also detect delayed bounce tracking. Since then, we have received a report of one specific website engaged in bounce tracking while also being likely to get frequent user interaction. To combat such issues, we proposed to the W3C Privacy Community Group what we call a SameSite=Strict jail as well as other escalations.
What the SameSite=strict jail does is detect bounce tracking and, at a certain threshold, rewrite all the tracking domain’s cookies to SameSite=strict. This means that they will not be sent in cross-site, first-party navigations, and they can no longer be used for simple redirect-based bounce tracking.
Our implementation is rather relaxed, with the threshold set to 10 unique navigational, first-party redirects (unique in the sense of going to unique domains), and an automatic reset of that counter once the cookies are rewritten to SameSite=strict. This automatically gives the domain a new chance so that they can disengage in bounce tracking and “get out of jail.”
Our current list of domains we subject to this protection is empty because the domain reported to us has stopped their bounce tracking. But this protection remains in our toolbox.
Partitioned Ephemeral IndexedDB
Up until now, WebKit has blocked cross-origin IndexedDB. WebKit now allows partitioned and ephemeral third-party IndexedDB in an effort to align with other browsers now that they are interested in storage partitioning too. You can partake in the ongoing standardization effort for storage partitioning on GitHub.
Partitioned means unique IndexedDB instance per first-party site and ephemeral means in-memory-only, i.e. goes away on browser quit.
Third-Party Cookie Blocking and Storage Access API In Private Browsing
Private Browsing in Safari is based on WebKit’s ephemeral sessions where nothing is persisted to disk. This means ITP would not be able to learn things between launches of Safari. Further, Private Browsing also uses a separate ephemeral session for each new tab the user opens. To uphold this separation between tabs, ITP wouldn’t be able to classify cross-site trackers from the user’s full browsing even in-memory.
However, full third-party cookie blocking doesn’t need classification and is now enabled by default in Private Browsing. This might seem simple to support but the challenge was to make the Storage Access API work with the aforementioned tab separation. This is how it works: Say
identityProvider.example wants to request storage access as third-party on the login page for
social.example in Tab A. Interacting with
identityProvider.example as a first party website in Tab B will not suffice to allow it to request storage access in Tab A since that would leak state between the separate ephemeral sessions. Thus, the user must interact with
identityProvider.example in the same tab as where
identityProvider.example later requests storage access as third-party. This makes sure that login flows where two different parties are involved and third-party cookie access is required, is possible in Private Browsing mode.
Home Screen Web Application Domain Exempt From ITP
Back in March 2020, when we announced ITP’s 7-day cap on all script-writeable storage, developers asked about home screen web applications and whether they were exempt from this 7-day cap. We explained how ITP’s counter of “days of use” and capture of user interaction effectively made sure that the first party of home screen web applications would not be subjected to the new 7-day cap. To make this more clear, we have implemented an explicit exception for the first-party domain of home screen web applications to make sure ITP always skips that domain in its website data removal algorithm.
In addition, the website data of home screen web applications is kept isolated from Safari and thus will not be affected by ITP’s classification of tracking behavior in Safari.
Thanks To My Coworkers
The above updates to WebKit and ITP would not have been possible without the help from Kate, Jiten, Scott, Tommy, Sihui, and David. Thank you!