Bounce Tracking Protection
Bounce Tracking Protection (BTP) is an anti-tracking feature in Gecko which detects bounce trackers (navigational tracking) based on a set of heuristics. As opposed to the cookie purging feature it does not rely on a list of trackers which makes it more webcompat friendly while also covering unknown bounce trackers.
Standardization
The protection is a work item of the PrivacyCG. The implementation in Gecko closely follows the Bounce Tracking Mitigations spec draft.
Mozilla also has a specification position on Bounce Tracking Mitigations.
Behavior
BTP detects bounce trackers by looking at navigation timing. It establishes the concept of an extended navigation which can encompass a chain of short-lived redirects. These short-lived redirects are commonly used by bounce trackers. If a site accesses cookies or storage in such a short-lived redirect it gets added to a classification list. Classified bounce trackers have their cookies, site data and cache purged periodically. In order to avoid false positives and purging data that may be important for users, sites which the user directly interacted with in the last 45 days are exempt from being classified or purged.
See Bounce Tracking Mitigations Explainer for a more detailed (albeit chromium-oriented) description of the feature and how trackers are classified.
Gecko Implementation
Work for the Gecko implementation in tracked under following meta-bug: Bug 1839915 - [meta] Bounce Tracking Protection.
A simplified UML diagram of the BTP implementation in Gecko. Note that some classes and attributes have been omitted for readability. You can use the diagram feature in Searchfox to view the full diagram (example).
classDiagram class BounceTrackingProtection { - mBounceTrackingPurgeTimer: nsITimer - mStorage: BounceTrackingProtectionStorage - mStorageObserver: BounceTrackingStorageObserver } note for BounceTrackingProtection "Singleton class to manage the feature." class BounceTrackingProtectionStorage { - mStateGlobal : nsTHashMap<OriginAttributesHashKey, RefPtr<BounceTrackingStateGlobal>> - mDatabaseFile : nsCOMPtr<nsIFile> } class BounceTrackingStateGlobal { - mUserActivation: nsTHashMap<nsCStringHashKey, PRTime> - mBounceTrackers: nsTHashMap<nsCStringHashKey, PRTime> - mOriginAttributes: OriginAttributes } note for BounceTrackingStateGlobal "Manages the global maps for bounce tracker candidates and user activation for a specific OriginAttributes dict." class BounceTrackingStorageObserver { <!-- [...] --> } note for BounceTrackingStorageObserver "Listens to cookie/storage access and notifies BounceTrackingState" class BounceTrackingRecord { - mInitialHost: nsAutoCString - mBounceHosts: nsTHashSet<nsCStringHashKey> - mFinalHost: nsAutoCString - mStorageAccessHosts: nsTHashSet<nsCStringHashKey> } note for BounceTrackingRecord "Encapsulates the per-tab navigation state during an extended navigation." class BounceTrackingState { - mBounceTrackingProtection: BounceTrackingProtection - mBounceTrackingRecord: BounceTrackingRecord - mClientBounceDetectionTimeout: nsReadOnlyTimer - mOriginAttributes: OriginAttributes } class BrowsingContextWebProgress { - mBounceTrackingState: BounceTrackingState } class nsIBTPExceptionList { <!-- Bug 1930704: Empty classes lead to build errors. Adding a comment inside the class fixes the issue --> <!-- [...] --> } class BounceTrackingAllowList { <!-- [...] --> } class DocumentLoadListener{ <!-- [...] --> } note for BrowsingContextWebProgress "Every tab has a web progress and therefore a BounceTrackingState" BounceTrackingProtection *-- BounceTrackingProtectionStorage BounceTrackingProtection *-- BounceTrackingStorageObserver BounceTrackingState --o BounceTrackingProtection BounceTrackingState --> BounceTrackingProtection : RecordStatefulBounces() on extended nav end BounceTrackingState *-- BounceTrackingRecord BounceTrackingStorageObserver --> BounceTrackingState : Storage access signals BrowsingContextWebProgress *-- BounceTrackingState BounceTrackingStateGlobal --* BounceTrackingProtectionStorage BounceTrackingStateGlobal --> BounceTrackingProtectionStorage : Persists state changes in storage. BounceTrackingProtection --> BounceTrackingStateGlobal : Manages global state nsIBTPExceptionList --* BounceTrackingProtection nsIBTPExceptionList --> BounceTrackingProtection : Site host purge exceptions from RemoteSettings. BounceTrackingAllowList --* BounceTrackingProtection BounceTrackingAllowList --> BounceTrackingProtection : Site host purge exceptions from PermissionManager. BrowsingContextWebProgress --> BounceTrackingState : Navigation signals DocumentLoadListener --> BounceTrackingState : Navigation signals
Preferences
The feature can be enabled and it’s behavior can be adjusted using the
privacy.bounceTrackingProtection.*
prefs. See
StaticPrefList.yaml
for a list of prefs with descriptions.
The main feature pref is privacy.bounceTrackingProtection.mode
where 0
is
fully disabled and 1
is fully enabled. See
nsIBounceTrackingProtection.idl
for a full list of options.
When classifying sites, BTP also looks at whether the site accessed cookies or
storage in the redirect. Whether cookies or storage access is considered is
controlled by the privacy.bounceTrackingProtection.requireStatefulBounces
pref.
Nimbus Integration
A subset of the BTP prefs can be controlled via Nimbus. See definition here: FeatureManifest.yaml.
Logging
BTP has a logger which can be enabled by starting Firefox with the MOZ_LOG
environment variable. Use MOZ_LOG=BounceTrackingProtection:5
for verbose
logging for every navigation and MOZ_LOG=BounceTrackingProtection:3
for more
concise logging focused on classification and purging.
Console Messages
You can check the developer tools console for warning messages which will be logged when a site gets classified. Example:
“bounce-tracking-demo-tracker-server.glitch.me” has been classified as a bounce tracker. If it does not receive user activation within the next 3,600 seconds it will have its state purged.
When a site has recently been purged (since last restart), upon next visit, Firefox will also log a warning to the website console:
The state of “bounce-tracking-demo-tracker-server.glitch.me” was recently purged because it was detected as a bounce tracker.
Testing
When testing sites to ensure they don’t get purged for bounce tracking behavior you can use both logging (as described above) to observe classification and direct calls to the feature via the Browser Toolbox to trigger the purging early.
The snippets in the following section need to be executed in the Browser Toolbox. Note that while the toolbox looks like the regular devtools it’s a special console used to debug Firefox itself rather than websites.
Print the list of classified bounce trackers
To get a list of all currently classified bounce trackers use the following snippet:
await Cc[
"@mozilla.org/bounce-tracking-protection;1"
].getService(Ci.nsIBounceTrackingProtection).testGetUserActivationHosts({})
This prints the list excluding private browsing and tab containers. For those
you need to pass in an OriginAttributes
object. See
nsIBounceTrackingProtection
for more documentation.
Sites which have been purged or which receive user interaction are automatically removed from this list.
Note that just because a site is in this list it doesn’t mean that it gets classified. Once classified there is a grace period of 1h in which the site may receive user interaction. If the user interacts with the site in that time window it is removed from the bounce tracker list and exempt from purging for 45 days.
Trigger a purge of all classified trackers:
Before navigating to the site set
privacy.bounceTrackingProtection.bounceTrackingGracePeriodSec
to 0
or a low
number. This controls how fast after (classified) bounce a site may be purged.
If you don’t update this pref you need to wait up to 1h for a site to be purged.
Purges normally run every hour. To trigger a purge manually you can use the following snippet:
await Cc[
"@mozilla.org/bounce-tracking-protection;1"
].getService(Ci.nsIBounceTrackingProtection).testRunPurgeBounceTrackers();
The return value will be an array of sites that have been purged. Note that purging applies for the entire domain (eTLD+1).
List recently purged sites
You can obtain a list of recently purged sites (since the last restart) by calling:
await Cc[
"@mozilla.org/bounce-tracking-protection;1"
].getService(Ci.nsIBounceTrackingProtection).testGetRecentlyPurgedTrackers({});
This only shows sites which have been purged in normal browsing. If you want
data from private browsing or containers you need to pass in a non-default
OriginAttributes
object, e.g. { privateBrowsingId: 1 }
.
There is also hasRecentlyPurgedSite
which can be used to check if a specific
site has been recently purged (across all OriginAttributes contexts).
Test Page
https://bounce-tracking-demo.glitch.me/ is a demo page with two links that exhibit bounce tracking behaviour. You can use it combined with the methods above to verify that the mechanism is running.