Privacy Sandbox for the Web

Trust Tokens will help websites distinguish real people from bots or malicious attackers. Based on your behavior on a site, like regularly signing into an account, a site can choose to issue a trust token to your browser. The token can then be checked by other sites that want to verify that you’re a human, and not a bot. Trust tokens are encrypted, so it isn't possible to identify an individual or connect trusted and untrusted instances to discover your identity.

Topics are recognizable categories that the browser infers based on the pages you visit. With Topics, the specific sites you’ve visited are no longer shared across the web, like they might have been with third-party cookies. In Chrome, you will be able to see the topics and remove any you don’t like, or disable them completely in Settings.

FLoC was a proposal in the Privacy Sandbox designed to cluster people with similar browsing patterns into large groups, or "cohorts". This "safety in numbers" approach was designed to effectively blend any individuals into a crowd of people with similar interests. The development of FLoC stopped in 2021.

FLEDGE is a new way to address remarketing, ie. reminding you of sites and products you’ve been interested in, without relying on third-party cookies. As you move across the web, the sites of advertisers you’ve visited can inform your browser that they would like a chance to show you ads in the future. They can also directly share information with your browser including the specific ads they'd like to show you and how much they'd be willing to pay to show you an ad. Then, when you visit a website with ad space, an algorithm in your browser helps inform what ad might appear.

Marketers currently rely on third-party cookies to gather data about a person’s browsing activity and how they respond to ads. To allow advertisers to place relevant ads and study their effectiveness in a privacy preserving way, the Privacy Sandbox will replace third-party cookies with new measurement and reporting tools that will prevent people from being identified across different websites. This includes several connected proposals.

Current attempts to restrict cross-site tracking don't address a common scenario: one organization may have related sites with different domain names, and may need to load resources like videos or perform other activities across those domains.

This Privacy Sandbox proposal allows domains that belong to the same entity to declare themselves as a "first-party set". Outside of the first-party set, the exchange of information is restricted to protect people’s privacy.

To prevent cross-site tracking, browsers are starting to separate all forms of storage, e.g. caches, localStorage etc. However, there are many legitimate cases where shared storage is needed, and this proposal aims to address them. It will provide "shared storage" that isn’t partitioned, but ensures the data in it can only be read in a secure environment.

Sometimes, embedded services such as chat widgets or embedded maps need to know about your activity on the given site to work properly. Privacy Sandbox introduces partitioned cookies a.k.a. CHIPS (Cookies Having Independent Partitioned State) that will indicate to browsers that the necessary cookie is allowed to work "across sites" only between the site in question (or sites within the same First-Party Set) and an embedded widget.

Storage Partitioning will isolate some web platform APIs used for storage or communication if used by an embedded service on the site, ie. in the third-party context. This effort will help make the web more private and secure while largely maintaining web compatibility with existing sites.

Fenced frames are a type of embedded frame, like an iframe, that can’t communicate with the host page. This makes it safe for the fenced frame to have access to its unpartitioned storage since it will not be able to join its identifier with the top site.

A browser’s network resources, such as connections, DNS cache, and alternative service data are generally shared globally. Network State Partitioning will partition much of this state to prevent these resources from being shared across first-party contexts. To do this, each request will have an additional "network partition key" that must match in order for resources to be reused.

This extra key will protect user privacy by making it so that sites will not be able to access shared resources and metadata learned from loading other sites.

Federated Credential Management aims to bridge the gap for the federated identity designs which relied on third-party cookies. The API provides the primitives needed to support federated identity when/where it depends on third-party cookies, from sign-in to sign-out and revocation.

Chrome (and other browsers) require developers to use a SameSite cookie "label" to clearly specify if a cookie is used in a first-party or third-party context. This means that browser controls can be more precise, e.g. enabling control over third-party cookies only. There is also a significant security benefit by protecting cookies from cross-site injection and data disclosure attacks.

The User-Agent string specifies details about the browser and device you use so that sites you visit render and function well. However, it is also a significant surface for so-called passive fingerprinting. Client Hints API enables sites to request the information they need directly and will eventually reduce details contained in the User-Agent string, limiting the information shared about you online.

User-Agent (UA) reduction is the effort to minimize the identifying information shared in the User-Agent string which may be used for passive fingerprinting.

With cache partitioning, cached resources will be keyed using a new "Network Isolation Key" in addition to the resource URL. The Network Isolation Key is composed of the top-level site and the current-frame site. This adds an additional layer of security.

DNS-over-HTTPS is a protocol that encrypts Domain Name System (DNS) queries and responses by encoding them within HTTPS messages. This helps prevent attackers from observing what sites you visit or sending you to phishing websites.

Gnatcatcher is Privacy Sandbox's proposal to hide your IP address. At a baseline, it will ensure your IP addresses will be hidden, but sites can do the extra work to attest that they aren’t misusing IP addresses if they would like to have direct connections.

Privacy Budget is a proposal that combines multiple factors to help limit fingerprinting. It’s being designed to work by restricting the amount of identifying information that a site is allowed to access in order to help prevent the user from being uniquely identifiable.