Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
最新のブラウザで変わるCookieの取り扱いやPrivacyの考え方
Search
Yosuke Furukawa
PRO
February 13, 2020
Programming
32k
69
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
最新のブラウザで変わるCookieの取り扱いやPrivacyの考え方
2020/02/13 DevSumi 発表資料
Yosuke Furukawa
PRO
February 13, 2020
More Decks by Yosuke Furukawa
See All by Yosuke Furukawa
デザインシステムが必須の時代に
yosuke_furukawa
PRO
2
240
Node.js, Deno, Bun 最新動向とその所感について
yosuke_furukawa
PRO
10
5.2k
Welcome JSConf.jp 2024
yosuke_furukawa
PRO
1
4.7k
tc39 x jsconf.jp Panel Discussion 2024
yosuke_furukawa
PRO
0
350
Removing Corepack
yosuke_furukawa
PRO
9
2k
JavaScript Runtime とはなにか
yosuke_furukawa
PRO
15
3.1k
Strip Types と Storage
yosuke_furukawa
PRO
4
520
Module Harmony について
yosuke_furukawa
PRO
4
1.9k
LTのやり方
yosuke_furukawa
PRO
16
3k
Other Decks in Programming
See All in Programming
PHPだって関数型したい 〜できること、できないこと〜 / fp-in-php
jsoizo
0
170
【やさしく解説 設計編 #0】DDDのコード、読めるのに分からない人へ
panda728
PRO
2
240
OSINT for SRE: 学術論文とポストモーテムから探る システム障害の共通パターン / SRE NEXT 2026
tomoyk
1
3k
Contextとはなにか
chiroruxx
1
390
なぜ関数型プログラミングで「型」と「証明」が語られるのか #fp_matsuri
kajitack
3
720
エンジニアと一緒にテストコードの設計と実装を改善した話
mototakatsu
0
260
トークンをケチるな、設計しろ:GitHub Copilotを賢く使うコンテキスト戦略
ochtum
0
300
Hunting Vulnerabilities in Symfony with LLMs
vinceamstoutz
0
580
そのテスト、説明できますか?~LWテスト戦略FW~のご紹介
nakahara
0
200
音楽のための関数型プログラミング言語mimiumにおける多段階計算の活用
tomoyanonymous
1
290
【SRE NEXT 2026 Lunch Session】一人目専任SREの立ち上げを加速する ― AIと進めたオンボーディングで2分を0.04秒にした話
pkshadeck
PRO
0
2k
Honoでのサプライチェーン侵害対策 〜 3つのライブラリに学ぶ
yusukebe
7
1.8k
Featured
See All Featured
Tell your own story through comics
letsgokoyo
1
990
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
10
1.2k
Leading Effective Engineering Teams in the AI Era
addyosmani
9
2.1k
Code Reviewing Like a Champion
maltzj
528
40k
Marketing to machines
jonoalderson
1
5.6k
What's in a price? How to price your products and services
michaelherold
247
13k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.8k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
37
6.5k
Optimising Largest Contentful Paint
csswizardry
37
3.8k
Imperfection Machines: The Place of Print at Facebook
scottboms
270
14k
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
techseoconnect
PRO
0
200
Fashionably flexible responsive web design (full day workshop)
malarkey
408
66k
Transcript
࠷৽ͷϒϥβͰมΘ ΔCookieͷऔѻ͍ ϓϥΠόγʔͷߟ͑ํ 2020/02/13 @ Developers Summit 2020
Twitter: @yosuke_furukawa Github: yosuke-furukawa ࠷ۙͷ׆ಈ $ISPNF"EWJTPSZ#PBSE +4$POG+1PSHBOJ[FSFUD
͜͜࠷ۙɺϒϥβͷมߋ͕ ଟ͍ɻಛʹηΩϡϦςΟɾ ϓϥΠόγʔपΓɻ
'JSFGPY 4BGBSJ ɾ*OUFMMJHFOU5SBDLJOH1SFWFOUJPO τϥοΩϯάΛࢭ͢ΔΈ SEQBSUZDPPLJFΛอଘ͠ͳ͍ +BWB4DSJQU͔ΒͷDPPLJF͔͠อଘ͠ͳ͍ શͯͷΫϩεαΠτϦΫΤετͷ3FGFSFSΛ0SJHJO͚ͩʹ ɾ&OIBODFE5SBDLJOH1SPUFDUJPO τϥοΩϯάΛࢭ͢ΔΈ *51ͱ΄΅Ұॹ
ϒϥοΫϦετܗࣜͷϦετ͕͋ΓɺͦͷϦετʹϚον͢Δͱอଘ͞ Εͳ͍ ϒϥοΫϦετʹࡌ͍ͬͯΔυϝΠϯ͔Β'JOHFSQSJOUJOHTDSJQU Λಈ࡞ͤ͞ͳ͍ɻ6"ͳͲͷจࣈྻΛऔΒͤͳ͍ɻ ɾ%/40WFS)5514 %/4RVFSZIUUQTʹͯ͠҉߸ԽɺӾཡઌΛผͰ͖ͳ͍Α͏ʹ͢Δ
$ISPNF ɾ4BNF4JUF$PPLJFͷಋೖ ΫϩεαΠτͰͷϦΫΤετ࣌ʹ$PPLJFΛ͢͜ͱΛݪଇېࢭ͍ͯ͘͠ํʹɻ ΫϩεαΠτͰͷϦΫΤετͰ$PPLJFΛ͔ͨͬͨ͠Β4BNF4JUF/POFΛ͚ͭɺ 4FDVSFଐੑͭ·Γ)5514ʹ͢Δ ɾ.JYFE$POUFOUTΛϒϩοΫ͢Δ )5514ͷίϯςΩετ͔Β)551ͷϦιʔεΛಡΉ͜ͱΛ.JYFE$POUFOUTͱݺͼɺ ͜ΕΛϒϩοΫ͢Δ ɾ6TFS"HFOUจࣈྻΛݻఆԽ 6"ใͷղ૾͕ߴ͗ͯ͢pOHFSQSJOUJOHʹ͑ΔͨΊɺݻఆԽ͠ඇਪ
ɾSEQBSUZDPPLJFഇࢭ ΑΓQSJWBUFͳXFCΛಋೖ͢Δํͷؾ࣋ͪද໌ IUUQTCMPHDISPNJVNPSHCVJMEJOHNPSFQSJWBUFXFCQBUI UPXBSETIUNM
Intelligent Tracking Prevention • τϥοΩϯάࢭΛ͢ΔҰ࿈ͷΈΛࢦ͢
Enhanced Tracking Protection • τϥοΩϯάࢭΛ͢ΔҰ࿈ͷΈΛࢦ͢
SameSite Cookie • Cookie ΛΫϩεαΠτͰૹΒͳ͍Έ
3rd Party Cookie͕ಈ͔ͳ͘ͳ ΔΈ 4FSWFS BDPN 1BHF DDPN CDPN IUUQTBDPNJOEFYIUNM
4FSWFS CDPN 4FSWFS DDPN
3rd Party Cookie͕ಈ͔ͳ͘ͳ ΔΈ 4FSWFS BDPN 1BHF DDPN CDPN IUUQTBDPNJOEFYIUNM
4FSWFS CDPN 4FSWFS DDPN 4FU$PPLJF 4FU$PPLJF 4FU$PPLJF
3rd Party Cookie͕ಈ͔ͳ͘ͳ ΔΈ 4FSWFS BDPN 1BHF DDPN CDPN IUUQTBDPNJOEFYIUNM
4FSWFS CDPN 4FSWFS DDPN 4FU$PPLJF 4FU$PPLJF 4FU$PPLJF ✓ OK ✗ NG ✗ NG
3rd Party Cookie͕ಈ͔ͳ͘ͳ ΔΈ 4FSWFS BDPN 1BHF DDPN CDPN IUUQTBDPNJOEFYIUNM
4FSWFS CDPN 4FSWFS DDPN 4FU$PPLJF 4FU$PPLJF 4FU$PPLJF ✓ OK ✗ NG ✗ NG ֤ϒϥβಈ͖͕ඍົʹҟͳΔ͕ɺجຊతʹSEQBSUZDPPLJFࣗମ͍ʹ ͳΒͳ͘ͳΔɻ4BGBSJͦͦอଘ͞Εͳ͍ɺ'JSFGPYϒϥοΫϦετʹ ࡌͬͯͨΒอଘ͠ͳ͍ɺ$ISPNF$PPLJFͷଐੑ 4BNF4JUF ͰରԠ
ͦͦ Cookie ͷΈ
• a.com ʹ๚ͨ͠ͱ͢Δɻͦ͜Ͱ b.com ͷ ࠂΛݟͨͱ͢Δɻ • ͦͷ߹ཪͰɺ `Set-Cookie` ϔομͰ
Cookie͕ొ͞ΕΔɻ Cookie ͷΈ 1BHF CDPN BE IUUQTBDPNJOEFYIUNM CDPN$PPLJF4UPSF JE CDPNͷJE͕ه͞ΕΔ 4FU$PPLJFJE
• Cookie ͕ొ͞ΕΔͱ࣍ճҎ߱ͷϦΫΤετ ࣌ʹॻ͖ࠐ·Εͨใ͕ϦΫΤετϔομʹ ࡌͬͯαʔόʹΘΔɻ Cookie ͷΈ 1BHF CDPN BE
IUUQTBDPNJOEFYIUNM CDPNͷϦΫΤετ $PPLJFJE
• ͜ͷ࣌ɺ b.com Ͱ id=123456789; ͷਓ͕ a.com ͔Βདྷͨ͜ͱ͕͋Δࣄɺ࠶ b.com ͷ
ࠂΛݟ͍ͯΔ͜ͱͳͲΛࣗͷDBʹه͢ Δ Cookie ͷΈ 1BHF CDPN BE IUUQTBDPNJOEFYIUNM CDPNͷϦΫΤετ $PPLJFJE ϦΫΤετʹج͖ͮɺϢʔ βʔͷߦಈΛه͢Δ
• ࣍ʹ c.com ʹ๚ͨ͠ͱ͢Δɻͦ͜Ͱಉ༷ ʹ b.com ͷࠂΛݟͨͱ͢Δɻ • ͦ͏͢Δͱ a.com
དྷͨ͜ͱ͋Δࣄ͕ࠂදࣔ ࣌ʹ b.com ʹΘΔɻ Cookie ͷΈ 1BHF CDPN BE IUUQTDDPNJOEFYIUNM DPPLJFʹJE͕͍ͬͯΕͲ͔͜Ͱ ࠂදࣔ͞Εͨ͜ͱ͕͋Δ͜ͱ͕CDPNʹΘΔɻ ࣄલͷཤྺΛݟΕBDPN͔Βདྷͨ͜ͱΘ͔Δ
ͦ͜Ͱ ITPͰ 3rd party cookie Λblock͢ΔΈ͕ Ͱ͖͍ͯΔ
3rd Party Cookie͕ಈ͔ͳ͘ͳ ΔΈ 4FSWFS BDPN 1BHF DDPN CDPN IUUQTBDPNJOEFYIUNM
4FSWFS CDPN 4FSWFS DDPN 4FU$PPLJF 4FU$PPLJF 4FU$PPLJF ✓ OK ✗ NG ✗ NG ͡Ό͋ͦͦ͜ͷ࣌ͷCDPNϨεϙϯε࣌ʹॻ͔ΕͯΔ4FU$PPLJFΛແޮʹ ͢Δͱ͍͏ͷ͕*51ॳΊͱ͢ΔSEQBSUZDPPLJFΛഉআ͢Δߟ͑ํ
ͨͩ͜Ε͚ͩͩͱ࣮·ͩ trackingͰ͖ͯ͠·͏
• Set-Cookieϔομܦ༝Ͱͳ͘ɺJavaScriptΛμϯϩʔυͨ͠ ޙɺ `document.cookie` ܦ༝Ͱॻ͚ɺCookieʹهՄೳ • ͜ͷ߹3rd party ͷJSͰ͋ͬͯ 1st
party cookieͱͳΔͨΊɺ ઌͷ੍ΛճආͰ͖Δ • ϦΫΤετ࣌ʹAjaxΛܦ༝ͯ͠ idΛ b.com ʹૹΔɺ͜ΕͰ trackingͰ͖Δɻ Cookie ͷΈ 1BHF CDPN BE IUUQTBDPNJOEFYIUNM CDPN+BWB4DSJQUΛμ ϯϩʔυ͠ɺ+4ܦ༝ͰDPPLJF Λॻ͘ɻ
ITP / ETP ͷ߹ document.cookie ࣗମʹ੍ݶ͕ՃΘ͍ͬͯΔ 4FSWFS BDPN 1BHF DDPN
CDPN IUUQTBDPNJOEFYIUNM 4FSWFS CDPN 4FU$PPLJF EPDVNFOUDPPLJF ✓ OK ˚ 1day only EPDVNFOUDPPLJFͰॻ͍ͨ߹4BGBSJͷ߹ɺ͔͠อͨͳ͍ɻ ·ͨɺ'JSFGPYͷ߹SEQBSUZTDSJQU͕ CMBDLMJTUʹࡌͬͯΔͱ ಈ͔ͳ͍ɻ
• Chrome ͷ߹ Cookie ʹଐੑΛ༩͢ΔܗͰ 3rd party cookie ͷtrackingΛ੍ݶ͢Δ •
σϑΥϧτͰൃߦ͞ΕΔ cookie ʹ SameSite=Lax ͱݺΕΔଐ ੑ͕༩͞ΕΔɻ • ͜ΕʹΑΓɺΫϩεαΠτͰͷϦΫΤεττοϓϨϕϧυϝΠϯ ͕ಉ͡ͷͷΈʹ੍ݶ͞ΕΔɻ • ͠ΫϩεϦΫΤετͰૹΓ͍ͨ߹SameSite=None; Secure; ͱ͍͏ଐੑʹ͢Δඞཁ͕͋Δɻ Chrome SameSite Cookie
• Chrome ͷ߹ɺ document.cookie Ͱ SameSite=NoneଐੑΛ༩ͤ͞Δ͜ͱ͕ෆՄ ೳʹͳͬͯΔɻ // ҙ: ͜͏͍͏ࢦఆͰ͖ͳ͍ɻ
document.cookie="id=123456789;secure;samesite=none" Chrome SameSite Cookie هɿɹ$ISPNF͔Β4BNF4JUFOPOF4FDVSF Λ+4Ͱॻ͚ΔͨΊɺ͜ͷϖʔδޡΓɻ5IBOLT!LZPUPOJP
͜ΕͰtrackingͰ͖ͳ͍͔ɺ ͱ͍͏ͱͦ͏Ͱͳ͍ɻ
DNSͷCNAMEϨίʔυʹυϝΠϯΛՃͯ͠ Β͍ɺυϝΠϯΛ1st partyѻ͍ʹ͢Δํ๏͕͋Δ 4FSWFS BDPN 1BHF DDPN CDPN IUUQTBDPNJOEFYIUNM 4FSWFS
CDPN 4FSWFS DDPN
DNSͷCNAMEϨίʔυʹυϝΠϯΛՃͯ͠ Β͍ɺυϝΠϯΛ1st partyѻ͍ʹ͢Δํ๏͕͋Δ 4FSWFS BDPN 1BHF BOBMZUJDTBDPN BEBDPN IUUQTBDPNJOEFYIUNM 4FSWFS
BEBDPNத CDPN 4FSWFS BOBMZUJDTBDPNத DDPN
DNSͷCNAMEϨίʔυʹυϝΠϯΛՃͯ͠ Β͍ɺυϝΠϯΛ1st partyѻ͍ʹ͢Δํ๏͕͋Δ 4FSWFS BDPN 1BHF BOBMZUJDTBDPN BEBDPN IUUQTBDPNJOEFYIUNM 4FSWFS
BEBDPNத CDPN 4FSWFS BOBMZUJDTBDPNத DDPN SEQBSUZDPPLJFSEQBSUZʹରͯ͠ߦ͏͔Β/(ͳͷͰ͋ͬͯɺTUQBSUZ ѻ͍ͯ͠͠·੍͑ݶΛղআͰ͖Δ
DNSͷCNAMEϨίʔυʹυϝΠϯΛՃͯ͠ Β͍ɺυϝΠϯΛ1st partyѻ͍ʹ͢Δํ๏͕͋Δ 4FSWFS BDPN 1BHF BOBMZUJDTBDPN BEBDPN IUUQTBDPNJOEFYIUNM 4FSWFS
BEBDPNத CDPN 4FSWFS BOBMZUJDTBDPNத DDPN ͨͩ͠ɺ͜ͷ߹ɺ$PPLJFࣗBEBDPNʹ੍ݶ͞ΕΔͨΊɺSEQBSUZ DPPLJFͷΑ͏ʹɺϢʔβʔΛҰҙʹಛఆ͢ΔJEΛൃߦͰ͖ͳ͍ɻαΠτͰ USBDLJOHͰ͖Δ͚ͩͰɺಛఆࠔ
ͨͩ͜Εʹରͯ͠ DNSͰ໊લ ղܾ࣌ʹ੍ݶ͢Δํ๏͋Δ
DNSͰ੍ݶ͢Δ 1BHF BOBMZUJDTBDPN BEBDPN IUUQTBDPNJOEFYIUNM %/44FSWFS query: ad.a.com cname: b.com
%/4ʹ໊લղܾ͢Δࡍʹ $/".&Ͱผ໊ʹͳͬͯΔ͜ ͱ͕Θ͔ͬͨΒͦ͜ͰCMPDL͢ ΔΈΛݕ౼த ✗ NG %/4ղܾΛϒϥβຊମଆͰߦ͏͜ͱͰɺ੍ݶͰ͖ΔΑ͏ʹͳΔʢͨͩ͠ɺ·ͩ Ͳͷϒϥβ%/4Ͱ$/".&ܦ༝ͰͷUSBDLJOH੍ݶະ࣮ʣ IUUQTCVH[JMMBNP[JMMBPSHTIPX@CVHDHJ JE
ͭ·ΓɺͣͬͱΠλνͬ͜͝ ͷ༷૬Λఄ͍ͯ͠Δɻ
͜ͷϓϥΠόγʔͷಈ͖ ظతͳͷͰͳ͘ɺதظ తͳಈ͖ɻ ϒϥβۀքɺΣϒۀքશ ମͷʹͳ͍ͬͯΔɻ
ͨͩ Tracking શ͕ͯNGʹͳΔͱͦ ͦΣϒͷऩӹϞσϧ่Εͯ͘Δ SEQBSUZDPPLJFUSBDLJOHΛഉআͨ͠ࡍʹUPQͷQVCMJTIFSͷฏۉϨϕχϡʔ͕Ҏ্Լ ͢Δͱ͍͏άϥϑ IUUQTTFSWJDFTHPPHMFDPNGIpMFTNJTDEJTBCMJOH@UIJSEQBSUZ@DPPLJFT@QVCMJTIFS@SFWFOVFQEG
࣮ͲͷϒϥβTracking ͷશ͕ͯμϝͱݴ͍ͬͯΔΘ ͚Ͱͳ͍ɻ
Cookieͱ͍͏ศརͳശʹͳΜ Ͱ͔ΜͰཔΔͷͰͳ ͘ɺ 4FTTJPO 1FSTPOBMJ[BUJPO 5SBDLJOH
৽͍͠ΈͰϓϥΠόγʔ ʹྀͭͭ͠ɺརศੑߟྀ ͨ͠৽͍͠Ϟσϧʹ͠Α͏ͱ ͍͏औΓΈ͕ࠓى͖͍ͯΔ
Private Click Measurement (Ad click attribution) ࠂΛΫϦοΫ͔ͯ͠ΒతΛୡ͔ͨ͠Ͳ͏͔ʢίϯ όʔδϣϯ͕ୡͰ͖͔ͨʣΛDPPLJFʹཔΒͣʹߦ͏ɹ
Private Click Measurement (Ad click attribution) ࠂܝࡌઌ͔ΒΫϦοΫ͢Δࡍʹࠂܝࡌݩʹ͑ΔใΛBEଐੑͰهड़͓͖ͯ͠ɺΫϦοΫͨ͠Βͦ Ε͕ܝࡌݩʹΘΔɻͨͩͷϦϯΫཁૉʹ͢Δඞཁ͕͋ΔʢBλάͰॻ͘ʣ IUUQTXFCLJUPSHCMPHQSJWBDZQSFTFSWJOHBEDMJDLBUUSJCVUJPOGPSUIFXFC
Private Click Measurement (Ad click attribution) ࣮ࡍʹίϯόʔδϣϯͨ͠Βɺܝࡌઌʹ)551ϦμΠϨΫτ͕ߦΘΕΔɻ IUUQTXFCLJUPSHCMPHQSJWBDZQSFTFSWJOHBEDMJDLBUUSJCVUJPOGPSUIFXFC
Private Click Measurement (Ad click attribution) ࣌ؒҎʹΫϦοΫͨ͠ͷͰ͋Εಉ͘͡ίϯόʔδϣϯͷλΠϛϯάͰܝࡌઌʹ1045ͷϦ ΫΤετ͕Δɻ໌Β͔ʹͤΔใ͕ߜΒΕ͓ͯΓɺϢʔβʔ͕ԿΛങ͔ͬͨɺͲ͏͍͏ܦ࿏Λܦͨ ͷ͔ͷใΒΕ͍ͯΔͷͷɺίϯόʔδϣϯ͔ͨ͠Ͳ͏͔͚ͩผͰ͖Δɻ
Privacy Sandbox • Chrome Ͱఏএ͍ͯ͠ΔΑΓ privacy ʹྀͨ͠৽͍͠Ϟ σϧ • 3ͭͷͦΕͧΕಠཱͨ͠औΓΈ͕͋Δɻ
• Cross-Site Tracking ͷ࠶ఆٛ • 3rd Party Cookie ͷഇࢭ • ৽͍͠ํ๏ͷҠߦखஈͷఏڙ IUUQTXXXDISPNJVNPSH)PNFDISPNJVNQSJWBDZQSJWBDZTBOECPY
Privacy Sandbox • શͯΛհ͢Δ࣌ؒͳ͍ͷͰ3ͭ΄Ͳհ • Privacy Budget • Trust Tokens
API • Federated Learning of Cohorts IUUQTXXXDISPNJVNPSH)PNFDISPNJVNQSJWBDZQSJWBDZTBOECPY
• ݸਓΛࣝผՄೳͳใʹ Budget (༧ࢉ)Λ༩͑ ͯ༧ࢉΛ͑ͨΒͦΕҎ্ͷใΛ͞ͳ͍Α ͏ʹ͢ΔΈ • UserAgent ͕ݻఆԽ͞ΕΔͷ༧ࢉ੍ݶͷͨΊ •
·ͣͲΕ͚ͩͷใ͕ݸਓࣝผՄೳͳͷ͔Λ ௐࠪɺܭଌ͍ͯ͠Δͱ͜Ζ͔Β Privacy Budget
Privacy Budget ॳظϦΫΤετ: Sec-CH-UA: "Chrome"; v="73" Ϩεϙϯε: Accept-CH: UA, Platform
Sec-CH-UA: "Chrome"; v="73.3R8.2H.1" Sec-CH-UA-Platform: "Windows"; v="10" 6TFS"HFOUจࣈྻैདྷͷΑ͏ʹ͞ͳ͍ɻΤϯτϩϐʔ͕ଟ͘ɺpOHFSQSJOUʹ͑ΔͨΊɻ ͜ΕΛαʔόଆͱΫϥΠΞϯτଆͰ$MJFOU)JOUTͱݺΕΔ༷Ͱަব͠ͳ͕ΒใΛΒ͏ɻ
Trust Tokens API #PUͰ͑ΒΕͳ͍Λग़ͯ͠ɺճ͢Δ͜ͱͰ࣮ࡍʹਓ͕͍ͬͯΔͷͳͷ͔ͦ͏͡Όͳ͍ͷ͔ Λผ͢ΔΈɻ$"15$)"ʹΠϝʔδͱ͍ͯۙ͠ɻ$PPLJFΛਓ͔Ͳ͏͔ͷผʹར༻ͯͨ͠ͱ ͜ΖͰ׆༻͢Δɻ 4FSWFS 8IJDIJTEPH PS
Federated Learning of Cohorts ػցֶशΛσʔληϯλʔͰΔͷͰͳ͘ɺϒϥβͰΤοδ͔Βػցֶश͢Δ͜ͱͰݸਓͷझ ຯᅂͷఆΛݸਓใΛऩू͢Δ͜ͱͳ͘ߦ͏Έ #SPXTFS %BUB$FOUFS ͜Ε͔ΒϒϥβͰܭࢉ͠ɺ ݸਓใऩूΛෆཁʹ͢Δ
ैདྷσʔληϯλʔͰݸਓ ใΛܭࢉ͢Δඞཁ͕͋ͬͨ
DNS over https 04ʹઃఆ͞Εͨ%/4αʔό͔Β໊લղܾ͢ΔͷͰͳ͘ɺϒϥβ͔Β)5514ϦΫΤετͰɹ %/4αʔόʹ໊લղܾϦΫΤετΛૹΔɻ͜͏͢Δ͜ͱͰɺࠓ·Ͱฏจͩͬͨ%/4ΫΤϦΛ҉߸Խͨ͠ ঢ়ଶͰૹΔ͜ͱ͕Ͱ͖ɺΞΫηεઌΛதؒऀ͔ΒӅṭͰ͖Δɻ #SPXTFS %/4
Mozilla͕villain ͱͯ͠ೝࣝ ͞ΕΔࣄҊ
DNS-over-https ࣗମ͕ѱͩͱ͢Δಈ͖ ͕ΠΪϦεͰى͍ͬͯ͜Δɻ͜Εɺ ISP͕ΞμϧτϑΟϧλʔ੍ݶΛ͔͚ͨ ͍(͔͚ͳ͍ͱ๏ྩҧʹͳΔ)͔Β ΞμϧτϑΟϧλʔ੍ݶࣗࢠͲͨ ͪΛकΔͨΊʹඞཁͳͷͰ͋Δ ͷͷɺͬͯΔ͜ͱҬతͳ౪ௌͱ ಉ͡
ຊདྷળҙͱͯͬͯ͠Δࣄ ʢΞμϧτϑΟϧλʔʣͰ ͋ͬͯɺѱҙΛ࣮࣋ͬͯࢪ ͞ΕΔࣄʢ౪ௌʣͱ۠ผ͕ͭ ͔ͳ͍ঢ়گ
ࠓ࣌ͩͱ·ͩ๏උ͢Β ͍͍ͭͯͳ͍ॴ͋Δ
զʑͲ͏͢Δ͖͔
CookieͷऔΓѻ͍ʹؔͯ͠ • αʔϏεͰ͏߹ηογϣϯͱͯ͠ͷѻ͍ʹ ͱͲΊΔ͜ͱɻ • ѻ͏߹ Secureଐੑͱ HttpOnlyଐੑͷ྆ํΛ ͖ͪΜͱ͚ͯɺαʔόͰηογϣϯΫοΩʔΛ ൃߦͯ͠͏ɻ
• JavaScriptͰॻ͖ࠐΈΛͯ͠ΔՕॴۃྗݮΒ͢ɻ
CookieͷऔΓѻ͍ʹؔͯ͠ • 3rd party cookie Λج४ʹͨ͠trackingΠλνͬ͜͝Ͱ ίϩίϩํ๏͕มΘΔ • trackingͦͷͷΛఘΊΔ͔ •
ͨΓతʹରॲ͠ɺΠλνͬ͜͝ʹͳΔ͔ • ͪΌΜͱಉҙΛಘΔ͔ • ͷ3ʹͳ͍ͬͯΔɻ
CookieͷऔΓѻ͍ʹؔͯ͠ • ͪΌΜͱಉҙΛಘͨܗͰΘ͔Γ͍͢ͷΛ Ϣʔβʔʹఏࣔ͢Δ͜ͱࢹʹݕ౼ • ·ͨɺSafariಉҙΛಘΕlocalͳstorageͷ ཧΛͤͯ͘͞ΕΔɻ https://www.philips.co.jp/a-w/cookie-notice.html
CookieͷऔΓѻ͍ʹؔͯ͠ • ҰํͰtrackingʹؔͯ͠EUࣄલʹಉҙΛऔΔ͖ ͱ͍ͯ͠Δ(͍ΘΏΔGDPR)ɻ • ຊͰݸਓใอޢ๏ͷվਖ਼Ҋ͕ݕ౼தɻ https://www.ppc.go.jp/files/pdf/ 200110_seidokaiseitaiko.pdf • CookieͷऔΓѻ͍ʹݶΒͣɺtrackingΛ͢Δ߹ࣄ
લͷಉҙΛಘͳ͍ͱ͍͚ͳ͘ͳΔՄೳੑɻ
·ͱΊ
·ͱΊ • Cookieʹؔͯ͜͠Ε͔Β͓ͦΒ͘ͲΜͲΜѻ͍͕ݫ͘͠ͳ͍ͬͯ͘ɻಛʹtracking ʹ͍ͭͯ͜Ε·ͰͷΓํਪ͞Εͳ͍ํʹɻ • CookieʹมΘΔํ๏ͱͯ͠৽͍͠tracking, conversion measurementͷΓํ͕ߟ͑ ΒΕͯΔɻPrivacy SandboxPrivate
Click MeasurementͷಈΛཁνΣοΫ • ҰํͰ·ͩ๏ྩؚΊ͍͍͍ͯͭͯͳ͍ͱ͜Ζͨ͘͞Μ͋Δɻ͘͠๏͔Βઌ ʹڧ੍తʹCookieͷऔΓѻ͍Λݟ͢ํʹͳ͍ͬͯ͘Մೳੑɻ • Cookieࣗͷѻ͍ʹؔͯ͠ηογϣϯͱͯ͠͏ʹͱͲΊɺtrackingผͳํ๏Ͱ ͷݕ౼Λ͍ͯ͘͠ඞཁ͕͋Δݟ௨͠ɻ • ·ͩϒϥβϕϯμʔؒͰฒΈἧ͍ͬͯͳ͍༷ࢠɺۀքશମΛר͖ࠐΉͳͷ ͰɺۀքશମͰϑΥϩʔΞοϓ͍͖ͯ͠·͠ΐ͏ɻ
ࢀߟࢿྉ
ࢀߟࢿྉ • Safari • https://webkit.org/blog/8943/privacy-preserving-ad-click-attribution-for-the-web/ • https://webkit.org/tracking-prevention-policy/ • https://webkit.org/blog/9521/intelligent-tracking-prevention-2-3/ •
https://www.apple.com/safari/docs/Safari_White_Paper_Nov_2019.pdf • Firefox • https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-preview • https://support.mozilla.org/en-US/kb/firefox-dns-over-https • https://bugzilla.mozilla.org/show_bug.cgi?id=1598969 • https://blog.mozilla.org/blog/2019/09/03/todays-firefox-blocks-third-party-tracking-cookies-and- cryptomining-by-default/ • https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/ • Chrome • https://services.google.com/fh/files/misc/disabling_third-party_cookies_publisher_revenue.pdf • https://blog.chromium.org/2020/01/building-more-private-web-path-towards.htmls
ࢀߟࢿྉ • Chrome • https://security.googleblog.com/2019/10/no-more-mixed-messages-about- https_3.html • https://developer.mozilla.org/ja/docs/Web/API/Document/cookie • https://www.chromium.org/Home/chromium-privacy/privacy-sandbox
• https://github.com/bslassey/privacy-budget • https://github.com/jkarlin/floc • https://github.com/WICG/ua-client-hints • ͦͷଞ • https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party- trackers-195205dc522a • https://wicg.github.io/ad-click-attribution/index.html • https://note.com/martech/n/n3d79c59e41be