CoreLibs icon indicating copy to clipboard operation
CoreLibs copied to clipboard
verified publisher icon AdguardTeam

improve: Separate the DNT & GPC header

Open shNzshNz opened this issue 6 months ago • 3 comments

Issue Details

According to bugzilla/1967420, Firefox is planning to unship the DNT implementation. See also MDN:

The whole DNT (Do Not Track) specification has been discontinued. The mechanism design was flawed, because it was a cooperative feature between users, websites, and browsers. The idea is that the user tells the website to not track them, and the website would comply. However, there is no strict enforcement of this policy, so advertisement websites ignored the DNT header and tracked users anyway. The feature is therefore useless. Moreover, it is harmful as it leaves more user fingerprint in the header, which can be used to track users even more.

Currently, both Do Not Track and Global Privacy Control headers are sent when the Ask websites not to track you option is enabled in the Tracking Protection section. And adguard app is unable to specify that only DNT or GPC header should be sent.

Proposed solution

Do not force both the DNT and GPC headers to be sent when Ask websites not to track you enabled, and make the DNT and GPC optional.

Example: Into the Ask websites not to track you section, there are three selectable options: 1.DNT, 2.GPC, and 3.Both.

Alternative solution

No response

shNzshNz avatar Jun 14 '25 22:06 shNzshNz

@shNzshNz This feature will be considered for implementation in CoreLibs and has been transferred accordingly.

Versty avatar Jun 16 '25 14:06 Versty

I don't really like idea of introducing additional settings.

I'd suggest just not injecting DNT if the browser that we're filtering 100% does not support it.

ameshkov avatar Jun 17 '25 07:06 ameshkov

I don't really like idea of introducing additional settings.

Yes, I agree with you.

Maybe it could be like the secure DNS filtering option, filtering on the fly by default. In that section, there is another selectable option: redirect to local DNS proxy. When the Ask websites not to track you feature is enabled, the DNT and GPC headers are sent by default. In that section, there is a second option: only send the Sec-GPC header.

or you could just drop DNT, but maybe some users still want to use it.

Many software/apps(desktop/mobile) are based on system webview to work (or they are bundle with webview), and most of them do not have the options to send privacy-related headers like GPC and DNT.

As MDN mentioned:

Deprecated: This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. Avoid using it, and update existing code if possible.

Moreover, it is harmful as it leaves more user fingerprint in the header, which can be used to track users even more.

So, I hope the adguard app allows users to send only GPC header. (at least, users can have their own choice) When the feature is enabled, users can choose to leave the settings as they are, which sends both headers by default, as before.

It's just my personal opinion.

shNzshNz avatar Jun 17 '25 19:06 shNzshNz