It seems to me that this is cross-site tracking of the sort forbidden by WebKit (Safari)'s and Firefox's tracking prevention policies:

https://webkit.org/tracking-prevention-policy/

https://wiki.mozilla.org/Security/Anti_tracking_policy

If Repixel can identify someone as a golfer with joint pain because they visited a golfing website and an unrelated joint pain website, that sounds like tracking an identifiable user across multiple first parties.

Should Safari and Firefox ban Repixel?

werds

they don't "ban" domains based on this policy. they just don't make their cookies available to the cross origin requests as per the ITP browser changes: https://clearcode.cc/blog/intelligent-tracking-prevention/#I...

so Firefox and Chrome are making changes which basically limit the effectiveness of this technique.

geofft

Firefox is willing to add specific technical countermeasures to specific domains that are attempting to bypass the tracking policy: "If a party attempts to circumvent the technical solutions we’ve outlined in this policy, we may without notice add additional restrictions to that party to prevent the circumvention." It seems they use the list of tracking domains at https://github.com/disconnectme/disconnect-tracking-protecti... .

(Safari, as far as I can tell, tries to avoid having site-specific policies, so maybe the question is "What is Repixel doing that is exploiting a security bug in Safari, and how can Safari fix it?")