2

ETags can be used for tracking, but I happened to notice that Safari handles them differently from Chrome (and Firefox). I believe it's non-standard because it doesn't work across domains. If we imagine the browser using a map to see if it should send If-None-Match, Firefox and Chrome are keyed only on the URL to the asset.

(http://example.com/image.gif): <etag>

However, Safari is keyed on the host as well as the asset.

(http://mysite.com, http://example.com/image.gif): <etag>

This seems like an pretty effective way of preventing tracking with ETags. Anyone know how I can get Chrome to do the same thing? Or is it just a bug in Safari??

Update

I put the same image on two different sites (loaded from duckduckgo images; file name shows up as iu). Sorry about the broken links. I don't have permission to post them.

  • jsfiddle net/wmwfr4s8/
  • jsbin com/nuhiqupeme/edit?html,output

The testing procedure I followed:

  1. Clear cache.
  2. Open two empty tabs and open the debugger in each tab.
  3. Load the first URL: If-None-Match not sent.
  4. Reload the first URL: If-None-Match sent.
  5. Load the second URL: If-None-Match not sent.
  6. Reload the second URL: If-None-Match sent.
user108758
  • 21
  • 3
  • Could you please provide a source for your claim of Safaris behavior? And what about the Last-Modified header which can be misused for the same thing? – Steffen Ullrich Apr 26 '16 at 04:43
  • I updated the question with my testing procedure. It's the same with Last-Modified/If-Modified-Since. – user108758 Apr 26 '16 at 11:49
  • Very interesting. I would suggest that this is deliberate and not a bug since Safari is also more restrictive regarding 3rd party cookies. But I cannot find any information related to this. – Steffen Ullrich Apr 26 '16 at 12:17
  • The best way to stop tracking would be to always fake the Referer, so it points to the domain of the resource. Whenever the browser requests example.com/image.png from within another site, it would just send example.com as the Referer. This works with almost very site and it also stops those stupid image protections some sites put in place. – Bachsau Oct 26 '18 at 23:10

0 Answers0