Bug 255450

Hello,

I contact you because I noticed adtech companies selling their Safari deterministic cross-domain tracking capabilities. From Taboola some time ago (cf. this thread https://twitter.com/WolfieChristl/status/1356547088692240386) to First.id (cf. this thread https://twitter.com/pixeldetracking/status/1645123172671389696). When I noticed Taboola tracking and read John Wilander answer https://twitter.com/johnwilander/status/1356638414880215040, I assumed I was protected (and I remembered Criteo tried this a long time ago, without success).

But then, I noticed that Safari didn't flag first-id bounce tracking if the user only consulted one, two or three different websites using first-id.fr tracking. It wasn't until the fourth website that first-id.fr was flagged by ITP (cf. this thread https://twitter.com/pixeldetracking/status/1646816439486099463). And in some circumstances, Safari might even not flag the website after 4+ domains (first-id made this video to "prove" their tracking was efficient: https://www.youtube.com/watch?v=cDKc7xALi1w).

Here are a few of the websites with first-id tracking. If you click on one of the website links (for the bounce tracker to be triggered, you have to consult 2 pages), and accepting cookies if you see the consent pop-up (but this pop-up might be dependant on you being in European Union):
- allocine.fr
- marmiton.org
- liberation.fr
- aufeminin.com
- doctissimo.fr
- marieclaire.fr
- capital.fr
- jeuxvideo.com

Their website: https://www.first-id.fr/
As they are not the only one, Taboola is using the same mechanism, I am afraid a few other adtech companies might also rely on this "ITP limitation".

ITP bounce tracking defense is working well if the user consult enough websites with first-id.fr tracker included, but I would have assumed ITP was protecting me from their tracking even if I only consulted 2 different domains, hence this bug filling.

Thanks in advance