Brave browser goes the extra mile to block third party cookies

Brave browser goes the extra mile to block third party cookies

Brave is testing a new feature to stop bounce tracking, a sneaky method that websites use to load third-party tracking cookies so they can gather more information about who is visiting their site.

The Brave browser

As you may remember from our post about the best browsers for privacy and security, Brave is a Chromium-based browser that blocks unwanted content by default and does not need much tinkering to keep you safe and private. Brave is available for Windows, macOs, Linux, iOS, and Android.

Brave Nightlyis the version of Brave that is used for testing and development. The releases are updated every night, hence the name, and may contain bugs. Nightly automatically sends out crash reports when things go wrong. Nightly is now used to test a feature that’s designed to prevent what’s known as bounce tracking.

Why third party cookies are out of fashion

Many browsers and, especially, ad-blockers will refuse to load third-party cookies, which are cookies that do not originate from the site that you are currently visiting. From a website administrator’s point of view, third-party cookies are tracking codes that are placed on a web visitor’s computer after being generated by another website other than their own. When a web visitor visits their site and others, the third-party cookie tracks this information and sends it to the third-party who created the cookie. The most common third-parties are advertisers, marketers, and social media platforms.

Googlehas long since changed its ways and adopted other methods of tracking users. But not everyone is a tech giant with the necessary resources to pull that off, so some have resorted to bounce tracking.

Bounce tracking

Tracking protection has become a mainstream feature in many browsers these days, including Apple’s Safari, Mozilla’s Firefox, and Microsoft’s Edge. So the targeted ad industry felt it had to find a way to circumvent those measures. Enter Bounce tracking, also known as redirect tracking. Another, even more invasive method is fingerprinting, which identifies users based on their computers’ unique attributes.

Bounce tracking abuses the fact that browsers’ anti-tracking tools generally allow sites to store their own cookies so they can remember repeat visitors. To limit their tracking to first-party cookies, a site that wants to track you can load an intermediary site—or tracking site—first before transferring you to the intended destination. The intermediary site sets a first-party cookie along the way, and each time you cross through it, it gathers more information about where you’ve been and where you’re going.

But there are other methods of bounce tracking like link decoration, which means a website can add a unique identifier to the links you click on, serving as a flag to the next site you visit. The destination site can then store the identifier in a first-party cookie on the original site’s behalf, letting it track your activity. The more this happens on additional sites, the more the original site can track you without ever using third-party cookies. Facebook adverts use this method in the fbclid parameter which allows the destination site to recognize you as a specific Facebook user.

Stopping bounce tracking

Some browsers have some methods to detect and stop bounce tracking but it is not always easy, since the browser doesn’t know beforehand that it will be directed through a tracking site.

In a privacy update, Brave explained how it plans to improve the existing methods. It is calling the new feature Unlinkable Bouncing. The browser will notice when you’re about to visit a privacy harming (or otherwise suspect) website, and route that visit through a new, temporary browser storage. This prevents the site from identifying you by tying your footprint to that of previous visits, but allows the site to otherwise function as normal because your visit will look like a unique, first-time visit. The temporary storage is then deleted when you browse away from the suspect site, preventing the site from re-identifying you on future visits.

The Unlinkable Bouncing feature is now enabled in Brave Nightly, and will be in Brave’s full release on version 1.37.

A possible weak point in the Unlinkale Bouncing feature is that it relies on consulting filter lists, but you can think of it as an extra layer on top of the existing features designed to stop bounce tracking, like the query parameter stripping, debouncing, and bounce-tracking interstitial features.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.