List first-id.fr as a bounce tracker

[Ktbzaman]

Hi,

I suggest adding the domain first-id.fr (and its host gate.first-id.fr) as a bounce tracker in https://github.com/brave/adblock-lists/blob/master/brave-lists/debounce.json

This company offers a service to publishers to exploit First-Party cookies, via a bounce, as Third-Party identifier vectors.
-> https://www.first-id.fr/

It is more and more used in France, with very big publishers. Brave should block it.
Note: in order not to break the navigation, the bounce should be kept, but the cookies droped in the first-id.fr domain should be deleted, otherwise, it might cause infinite 302 loops.

[pes10k]

@Ktbzaman thank you for the issue! Can you provide an example of a page that uses this bounce tracking service and / or an example of the bounce-tracking URL format they use?

[Ktbzaman]

Sure, this bounce tracker is well known in France and used by many top-tier publishers (hence Brave should definitely identify it and block it).
By the way, I tested the Bounce Mitigation in Chrome's Privacy Sandbox and saw that it effectively detects it. I don't know if that can help.

Anyway, here are a list of publishers using first-id.fr :

• https://lejdd.fr
• https://www.jeuxvideo.com/
• https://www.allocine.fr/

A very easy way to see it's being used is to check for a first-party cookie in the publisher domain named "firstid".

A good protection against bounce trackers is to let them do their things but then delete their cookies. This is what Chrome's Privacy Sandbox is doing.

As for an example of a complete bounce-tracking URL they use: https://gate.first-id.fr/?redirectHost=https%3A%2F%2Fwww.allocine.fr%2Ffirst-id%2F&redirectUri=%2Fseries%2F

[pes10k]

flagging @ryanbr on this. If this looks good to include, lets merge it in

[fmarier]

This one is not straightforward because the full destination URL is not contained within a single parameter:

$ curl --head -L 'https://gate.first-id.fr/?redirectHost=https%3A%2F%2Fwww.allocine.fr%2Ffirst-id%2F&redirectUri=%2Fseries%2F'
HTTP/2 302 
location: https://www.allocine.fr/first-id/?firstId=778313ba32bd437fcde4534ed1b664a4&redirectUri=%2Fseries%2F

HTTP/2 301 
location: https://www.allocine.fr/series/

HTTP/2 200 

Instead, the redirectHost and the redirectUri are combined server-side (in a very obvious way of course) to produce https://www.allocine.fr/first-id/?firstId=778313ba32bd437fcde4534ed1b664a4&redirectUri=%2Fseries%2F. If we simply redirected to the redirectHost URL, it would not be the same destination URL as following the full redirect chain and we would end up on the homepage of the site instead (via https://www.allocine.fr/first-id/?firstId=778313ba32bd437fcde4534ed1b664a4).

So we'd need to add support for combining these two parameters in the debouncer before we can create a working rule for this.

[pes10k]

at one point I think we had regex support, though i dont remember if it got pulled. If we do have regex support, we could probably stitch things together that way. If not then maybe worth P3'ing adding it in

[Ktbzaman]

Or maybe, just letting the bounce happen and drop all first-party cookies in the first-id.fr domain at a given frequency (like every hour)?
If Brave maintains a blacklist of tracker domains, this looks to be an easy and safe way to block such techniques (once their cookie is dropped, their ID is useless, it will change all the time for all domains).

[fmarier]

@Ktbzaman I think what you're describing is the unlinkable bouncing feature.