Abstract | Protecting the privacy of web users against tracking by blocking third-party content has become a cat-and-mouse game. Continuously changing tracking methods make it difficult to block all third-party content. On the other hand, it is necessary to accept some third-party content to ensure web site functionality. In this work we present the concept and an implementation for the automatic isolation of the locally stored web site state into separate containers. This eliminates the ability of trackers to re-identify users across different sites, by isolating HTTP cookies, HTML5 Web Storage, Indexed DB, and the browsing cache. The so-called Site Isolation was implemented for the Chromium browser and in addition secures the browser against CORS, CSRF, and click-jacking attacks, while limiting the impact of cache timing, and rendering engine hijacking. To evaluate the effectiveness of Site Isolation, we visited 1.6 million pages on over 94,000 distinct domains and compared the data saved against usual browsing. We show that top trackers collect enough information to identify billions of users reliably. In contrast, with Site Isolation in place the number of tracked pages can be reduced by 44%. |
---|