Security/Tracking protection

< Security



Tracking Protection is a new platform-level technology that blocks HTTP loads at the network level. It is based on the Safe Browsing technology that powers our phishing and malware protection.

This feature was part of the Polaris initiative.


  • browser.contentblocking.enabled: master switch for all content blocking features (includes tracking protection, but excludes tracking annotations)
  • browser.safebrowsing.debug: show debugging info from the JavaScript list update code on the command line as long as browser.dom.window.dump.enabled is also enabled
  • browser.safebrowsing.provider.mozilla.lists: list of tables coming from the Mozilla shavar service
  • browser.safebrowsing.provider.mozilla.updateURL: server endpoint for downloading list updates
  • browser.safebrowsing.provider.mozilla.gethashURL: server endpoint for completions
  • browser.safebrowsing.provider.mozilla.lastupdatetime: timestamp (in ms) of when the last list update happened.
  • browser.safebrowsing.provider.mozilla.nextupdatetime: timestamp (in ms) of when the list should next be downloaded.
  • privacy.trackingprotection.annotate_channels: flag network channels loading resources on the tracking list (see how that information can be used)
  • privacy.trackingprotection.enabled: to enable TP globally
  • privacy.trackingprotection.lower_network_priority: lower the priority of channels loading tracking resources
  • privacy.trackingprotection.pbmode.enabled: to enable TP in Private Browsing mode (not needed if the global pref is enabled)
  • privacy.trackingprotection.introCount
  • privacy.trackingprotection.introURL: URL that kicks off the UI tour (target of the "See how this works" button in about:privatebrowsing)
  • urlclassifier.disallow_completions: list of tables for which we never call gethash
  • list of tables to use when looking for trackers (they need to be named *-track-*):
    • urlclassifier.trackingAnnotationTable: for tracking annotations
    • urlclassifier.trackingTable: for tracking protection
  • list of tables to use when checking whether or not a tracker is part of the same entity as the page (they need to be named *-trackwhite-*):
    • urlclassifier.trackingAnnotationWhitelistTable: for tracking annotations
    • urlclassifier.trackingWhitelistTable: for tracking protection


Code walkthrough

The classification for tracking protection, separate from the full Safe Browsing classification, is kicked off in nsHttpChannel::BeginConnectContinue() and goes like this:

  1. we asynchronously check the blacklist
  2. if there's a match, we then check the entity whitelist
  3. if it doesn't match the whitelist, we treat it as a tracker
  4. we either cancel the channel (for full tracking protection) or set a tracking flag (for tracking annotations only)

Note that only eligible resources are run through the classifier:

Tracking annotations

Tracking annotations are used in a few different places:


In addition to the Safe Browsing tests, here are all of the tests which are relevant to tracking protection:

./mach test browser/base/content/test/trackingUI/
./mach test netwerk/test/unit/test_trackingProtection_annotateChannels.js
./mach test netwerk/test/unit_ipc/test_trackingProtection_annotateChannels_wrap1.js
./mach test netwerk/test/unit_ipc/test_trackingProtection_annotateChannels_wrap2.js


  • Current blacklists (Firefox 50 and later):
    • Base lists:
      • base-track-digest256: non-DNT-compliant trackers
      • baseeff-track-digest256: DNT-compliant trackers (EFF definition)
      • basew3c-track-digest256: DNT-compliant trackers (W3C definition)
      • Upstream source
      • Our copy (i.e. what we ship to clients in binary form)
      • Submit feedback and track changes
      • Excludes the Content category.
    • Content lists:
      • content-track-digest256: non-DNT-compliant content trackers
      • contenteff-track-digest256: DNT-compliant content trackers (EFF definition)
      • contentw3c-track-digest256: DNT-compliant content trackers (W3C definition)
      • Same upstream source as the base list.
      • Only includes the Content category.
    • Category-specific lists (currently only used by Focus for Android):
      • ads-track-digest256: trackers in the Advertising category
      • analytics-track-digest256: trackers in the Analytics category
      • social-track-digest256: trackers in the Social category
    • Fingerprinting lists:
      • base-fingerprinting-track-digest256: domains in both the Fingerprinting category AND in one of the tracking categories (Advertising, Analytics, Social, or Content)
      • content-fingerprinting-track-digest256L domains in the Fingerprinting category that are NOT in one of the tracking categories
    • Cryptomining lists:
      • base-cryptomining-track-digest256: domains in the Cryptomining category
      • content-cryptomining-track-digest256: placeholder list, currently empty. Intended to include cryptomining domains that we don't want to block by default (for some reason).
  • Legacy blacklists (Firefox 42 to 49):
    • Blacklist (mozstd-track-digest256)
      • Same as the union of all of the base lists.
    • "Strict" blacklist (mozfull-track-digest256)
      • Same as the union of all of the base and content lists.
  • Entity whitelist (mozstd-trackwhite-digest256)
  • List creation script
  • The lists are stored in these files:
    • ~/.cache/mozilla/firefox/XXXX/safebrowsing/mozstd-track* on Linux
    • ~/Library/Caches/Firefox/Profiles/XXXX/safebrowsing/mozstd-track* on Mac
    • C:\Users\XXXX\AppData\Local\mozilla\firefox\profiles\XXXX\safebrowsing\mozstd-track* on Windows


  • Bugzilla:
    • Firefox::Tracking Protection for UI and general feature requests/bugs
    • Toolkit::Safe Browsing for list updates and the actual blocking in necko
    • Cloud Services::Server: Shavar for server-side bugs
    • Breakage bugs
    • Bug triage

To turn on debugging output, export the following environment variable:


To produce the "digest256" hash that sbdbdump -v will contain for

echo -n "" | sha256sum 


Alerts are sent to


  • no telemetry pings are sent while in Private Browsing mode
  • we only have telemetry when TP is enabled in the session