Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

We need 100% clarification on what traffic will go through the proxy #31

Open
humbertoby8212 opened this issue Nov 20, 2023 · 2 comments

Comments

@humbertoby8212
Copy link

Having read the majority of issues/posts in this repo, I understand the following to be true:

  1. All first party traffic will not go through the proxy
    a. i.e. If you visit www.companyurl.com, all of the below example files would receive the originator IP address and not a proxy IP
    i. www.companyurl.com/image1.png
    ii. www.companyurl.com/file.js
    iii. www.companyurl.com/styles.css
  2. All third party traffic that is not listed by Google as a cross-site tracking script/tool will not go through the proxy
    a. i.e. If www.companyurl.com loads a JS file from a third party (www.thirdparty.com/calc.js) that is not listed by Google as a cross-site tracking domain, the third party (www.thirdparty.com) will receive the originator IP address and not a proxy IP
  3. Only domains listed by Google will go through the proxy
    a. There is no plan to send everything through the proxy

Please could you confirm or correct each of the points above so that we are 100% clear.

Please could you also answer the following questions:

  1. Is it just cross-site tracking domains that Google plans to send through the proxy?
  2. Do Google plan to send other website analytics domains through the proxy that don't partake in cross-site tracking?
  3. Do Google have a proposed list of domains that will be added to the proxy list that you can share with us?

I really appreciate you taking the time to clarify my understanding and answer my questions.
Thank you

@kostajh
Copy link

kostajh commented Nov 20, 2023

@humbertoby8212 that is my understanding, but would be nice for someone from Google to definitively answer this. From what I can see, there is a fair amount of fear/uncertainty/doubt because of the lack of clarity on this. See also #13.

@jbradl11
Copy link
Collaborator

Hi @humbertoby8212

You are correct on the first three points (see below for more details).

Chrome’s IP Protection uses a list-based approach to identify which third-party traffic goes through the proxies. Origins that are on the list but are accessed in a first-party context will not be proxied through this service for those connections.

For example, if an analytics company is on the list of domains and a user navigates directly to the site, that site will still be able to observe the user’s IP address instead of the proxied IP address. However, if that domain on the list makes a network request in a third-party context, the connection will be proxied and the user's original IP address will not be visible to the site.

Our ultimate goal is to prevent cross-site tracking of users across the web. We are working through some details before sharing more information about which third-party domains we plan to focus on initially.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants