Script Blocking enhances Incognito mode's tracking protections by blocking the execution of known, prevalent techniques for browser re-identification used in third-party (embedded) contexts for domains marked as "Entire Domain Blocked" or "Some URLs are Blocked" in the Masked Domain List (MDL). This subset of the MDL is known as the Blocked Domain List.
When the feature is enabled, Chrome checks network requests against the MDL. When there is a match for a domain, active resources (that can execute code or perform actions within a web page such as scripts or iframes) from the domain are blocked, but not static resources (for example, images and stylesheets).
Users will have the ability to disable Script Blocking in Chrome settings.
Scope of Script Blocking
Chrome has developed a methodology to identify widely used JavaScript functions that provide sufficiently unique and stable information from web APIs to identify users. For example, the Canvas API renders images slightly differently for different web browsers and platforms. A script might use this information to identify a user.
Once these signatures have been identified, Chrome crawls the web to find matches for code used to identify users, and generates a list of domains that serve scripts that use the matched code.
The list undergoes some additional treatments before it's ready to be applied in Incognito.
Shared domains
Scripts may be served from different paths of the same shared domain. For example, CDN domains are often shared by many clients. Chrome calculates the proportion of a host's traffic that is serving a detected script, and if the proportion is less than a threshold value, Chrome considers the host a shared domain. In this case, Script Blocking only applies to a specific path, rather than the whole domain.
Third-party context
For Script Blocking Chrome only checks active resources that are served from a third-party context in Incognito. If a resource's domain matches the top-level domain, it is considered first-party. Additionally, to determine first-party vs. third-party, Chrome employs a best-effort approach to deduce domain ownership by leveraging an entity mapping created by Disconnect.me. Resources served by domains in the same entity mapping are treated as first-party. In the event Chrome's deduced approach contains errors, the domain owner has the option to reach out to Disconnect.me at mdl_evaluations@disconnect.me.
Exceptions for web compatibility
Chrome may apply temporary exceptions if it determines that intervention on a particular domain may cause significant user experience impact. For example, Chrome may apply exceptions aimed at avoiding degradation of the site's anti-fraud defenses or problems for particularly sensitive sites, such as those on .gov and .edu domains.
Blocked Domain List
The list of domains impacted by the Script Blocking feature is available on GitHub, and is a subset of the Masked Domain List defined for IP Protection. This feature will affect entries marked "Impacted by Script Blocking". Domains may be added to or removed from the list. Chrome will also remove domains that have successfully obtained an appeal.
Take action on Script Blocking
We encourage you to review the Masked Domain List and identify any of your domains that may be on it. To learn more refer to the dedicated MDL page.
Engage and share feedback
If you have any feedback, we'd love to hear it.
- GitHub: Read the explainer or raise questions and participate in discussion.
- Developer support: Ask questions and join discussions on the Privacy Sandbox Developer Support repository.