neat, turning on "block third-party cookies" in Chrome prevents you from using HTTP/2 to track users across sites. blocking third-party cookies in Firefox doesn't prevent it, but setting "privacy.firstparty.isolate" does.
Conversation
i assume that Safari has strong protection against this, but i don't have a Mac/iPhone to test it on
1
actually, with "force-cache" set, you can still get a stable identifier for the user in Chromium - even if "block third-party cookies" is enabled
1
so, fun, can't seem to block this off with Chromium. but "privacy.firstparty.isolate" in Firefox seems to isolate the HTTP cache too.
2
Replying to
interesting, i'll try that. i was looking for that, but the only one that came up in about:flags was "Prefetch requests for cross-origin main resources are fetched with a special NetworkIsolationKey"
1
chromium.googlesource.com/chromium/src.g
These feature flags are what gets toggled by field trials (variations). The configuration at chromium.googlesource.com/chromium/src.g is a sample field trial configuration used for testing builds, which enables as many optional features as possible to maximize coverage.
These are spread throughout the code and defined with base::feature like this:
// Enable USB Bouncer for managing a device whitelist for USBGuard on Chrome OS.
const base::Feature kUsbbouncer{"USBBouncer",
base::FEATURE_DISABLED_BY_DEFAULT};