Cross-Site Tracking & Fingerprinting | Blue Frog Docs

Cross-Site Tracking & Fingerprinting

Understanding and preventing cross-site tracking, third-party cookies, and browser fingerprinting issues.

Cross-Site Tracking & Fingerprinting

What This Means

Cross-site tracking occurs when user activity is tracked across multiple websites without consent, typically through third-party cookies or browser fingerprinting techniques. This creates privacy concerns and increasingly violates regulations.

Methods of cross-site tracking:

Third-party cookies:

  • Advertising networks track users across sites
  • Retargeting pixels follow browsing behavior
  • Analytics platforms link activity across domains
  • Social media widgets track non-users

Browser fingerprinting:

  • Combining device characteristics to create unique ID
  • Canvas fingerprinting (hidden graphics rendering)
  • Font fingerprinting (installed font detection)
  • WebGL fingerprinting (GPU rendering signatures)
  • Audio fingerprinting (audio processing analysis)
  • Screen resolution, timezone, language combinations
  • Plugin and extension detection

Impact:

  • GDPR violations: Requires explicit consent for cross-site tracking
  • CCPA "Do Not Sell" violations
  • Browser blocking (Safari ITP, Firefox ETP, Chrome Privacy Sandbox)
  • User trust erosion
  • Inaccurate tracking due to browser protections
  • Potential legal liability

Real-world examples:

  • Facebook tracking non-users across websites
  • Google tracking across DoubleClick network
  • Retargeting pixels following users site-to-site
  • Analytics platforms linking sessions across properties
  • Fingerprinting scripts identifying users without cookies

How to Diagnose

Method 1: DevTools inspection

  1. Open DevTools > Application > Cookies
  2. Visit your website
  3. Look for cookies from domains OTHER than your site
  4. Common cross-site tracking cookies:
    • IDE (doubleclick.net - Google advertising)
    • test_cookie (doubleclick.net)
    • fr (facebook.com - Meta tracking)
    • _fbp (your-site.com but set by Facebook)
    • personalization_id (twitter.com)
    • li_sugr (linkedin.com)
    • lang (ads-twitter.com)

Method 2: Request inspection

  1. Open DevTools > Network tab
  2. Filter by "3rd-party requests"
  3. Look for:
    • Domains different from your site
    • Cookies being sent in request headers
    • Set-Cookie headers in responses from third-party domains

2. Fingerprinting Script Detection

Check for fingerprinting libraries:

Use DevTools > Sources to search for:

  • fingerprintjs or FingerprintJS
  • ClientJS
  • Augur
  • Canvas fingerprinting: canvas.toDataURL
  • Audio fingerprinting: AudioContext
  • WebGL fingerprinting: getParameter(RENDERER)

Use browser extensions:

Privacy Badger:

  • Detects cross-site tracking
  • Identifies fingerprinting attempts
  • Shows trackers blocked

uBlock Origin:

  • Advanced mode shows third-party requests
  • Identifies tracking domains
  • Shows blocked fingerprinting scripts

Disconnect:

  • Visualizes tracker network
  • Shows cross-site tracking chains
  • Categorizes trackers

3. Online Fingerprinting Tests

Test your site's fingerprinting behavior:

AmIUnique:

  1. Visit https://amiunique.org/
  2. Run fingerprinting test
  3. See what information can be collected
  4. Check fingerprinting uniqueness score

Cover Your Tracks (EFF):

  1. Visit https://coveryourtracks.eff.org/
  2. Test tracker blocking
  3. Check fingerprinting protection
  4. See advertisement tracking analysis

BrowserLeaks:

  1. Visit https://browserleaks.com/
  2. Run multiple fingerprinting tests
  3. See canvas, WebGL, audio fingerprints
  4. Check IP address leakage

4. Cross-Domain Tracking Detection

Test cross-domain scenarios:

  1. Setup: Create test journey across domains

    • Your main site: example.com
    • Subdomain: shop.example.com
    • Different domain: example.co.uk

  2. Track user ID across domains:

    • Clear cookies
    • Visit site 1
    • Note user ID in analytics
    • Visit site 2
    • Check if same user ID appears

  3. Legitimate cross-domain vs. cross-site:

    • Cross-domain: Tracking across YOUR properties (allowed with consent)
    • Cross-site: Tracking across DIFFERENT companies' sites (problematic)

5. Safari/Firefox Tracking Prevention Check

Safari Intelligent Tracking Prevention (ITP):

  1. Open Safari
  2. Visit your site
  3. Check Developer > Storage > Cookies
  4. Third-party cookies should be blocked
  5. Check for fallback tracking mechanisms

Firefox Enhanced Tracking Protection:

  1. Open Firefox
  2. Visit your site
  3. Click shield icon in address bar
  4. Check "Cross-site tracking cookies" blocked
  5. Review blocked trackers list

General Fixes

1. Eliminate Third-Party Tracking Cookies

Migrate to first-party tracking:

Google Analytics (switch to first-party):

Meta Pixel (first-party approach):

  • Use Conversions API (server-side)
  • Reduce reliance on browser pixel
  • Send events from your server

Example: Server-side GTM setup:

// Browser sends event to YOUR server endpoint
fetch('https://tracking.yourdomain.com/event', {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  body: JSON.stringify({
    event: 'page_view',
    user_id: 'hashed_user_id',
    timestamp: Date.now()
  })
});

// Your server forwards to GTM Server Container
// GTM Server then sends to GA4, Meta, etc.

2. Implement First-Party Cookies Only

Cookie configuration best practices:

// Set cookies on your domain only
document.cookie = "session_id=abc123; " +
                  "Domain=yourdomain.com; " +  // First-party only
                  "Path=/; " +
                  "Secure; " +                  // HTTPS only
                  "SameSite=Lax; " +            // Prevent cross-site sending
                  "Max-Age=86400";              // 1 day expiration

// For strict cross-site protection:
document.cookie = "tracking_id=xyz789; " +
                  "SameSite=Strict; " +         // Never sent cross-site
                  "Secure";

SameSite attribute values:

Value Behavior Use Case
Strict Never sent on cross-site requests Highly secure, may break some flows
Lax Sent on top-level navigation (clicking links) Default, good balance
None Sent on all cross-site requests (requires Secure) Third-party embeds (use cautiously)

3. Prevent Fingerprinting

Disable fingerprinting scripts:

// Remove fingerprinting libraries
// DON'T use FingerprintJS for user tracking without consent

// If fingerprinting needed for fraud prevention:
// 1. Disclose in privacy policy
// 2. Obtain consent
// 3. Use minimal fingerprinting
// 4. Don't share with third parties

Content Security Policy (CSP) to block fingerprinting:

<meta http-equiv="Content-Security-Policy"
      content="script-src 'self' https://trusted-analytics.com;
               frame-src 'self';
               connect-src 'self' https://trusted-analytics.com;">

Permissions-Policy header:

Permissions-Policy: geolocation=(), microphone=(), camera=()

4. Configure Cross-Domain Tracking Properly

Only for YOUR properties (with user consent):

GA4 cross-domain setup:

// Configure GA4 for legitimate cross-domain tracking
gtag('config', 'G-XXXXXXXXX', {
  'linker': {
    'domains': ['yourdomain.com', 'shop.yourdomain.com', 'yourdomain.co.uk'],
    'accept_incoming': true
  }
});

GTM cross-domain auto-linking:

  1. Open GTM
  2. Edit GA4 Configuration tag
  3. Expand "Fields to Set"
  4. Add field: linker
  5. Value: {"domains":["domain1.com","domain2.com"]}
  6. Add field: accept_incoming
  7. Value: true

Important: Only link domains YOU control. Explain in privacy policy.

5. Implement Privacy Sandbox Alternatives

Google's Privacy Sandbox (Chrome):

Instead of third-party cookies, use:

Topics API:

  • Browser provides interest categories
  • No cross-site user identification
  • Privacy-preserving interest targeting

FLEDGE (Protected Audience API):

  • Retargeting without cross-site tracking
  • Auction happens in browser
  • User data stays local

Attribution Reporting API:

  • Measure conversions without user tracking
  • Aggregate reports, not individual level
  • Privacy-preserving attribution

Implementation example:

// Topics API (Chrome)
if ('browsingTopics' in document) {
  document.browsingTopics().then(topics => {
    // Use topics for ad targeting (privacy-preserving)
    console.log('User interests:', topics);
  });
}

// Attribution Reporting API
// Configure in ad click:
<a href="https://advertiser.com"
   attributionsrc="https://ad-tech.com/register-source">
  Ad Link
</a>

6. Server-Side Tracking Migration

Benefits of server-side:

  • All cookies first-party
  • No cross-site tracking by default
  • Better control over data
  • Improved privacy compliance
  • Resilient to browser blocking

Setup: Google Tag Manager Server-Side

  1. Create server container:

    • GTM Account > Create Container
    • Select "Server" type
    • Deploy to Cloud Run, App Engine, or your server

  2. Configure web container to send to server:

// In GTM web container
gtag('config', 'G-XXXXXXXXX', {
  'transport_url': 'https://tracking.yourdomain.com',
  'first_party_collection': true
});
  1. Server container forwards events:
    • Receives events on your domain
    • Sets first-party cookies
    • Forwards to GA4, Meta, etc.
    • No cross-site tracking

Setup: Meta Conversions API

// Server-side event to Meta
const accessToken = 'YOUR_ACCESS_TOKEN';
const pixelId = 'YOUR_PIXEL_ID';

fetch(`https://graph.facebook.com/v18.0/${pixelId}/events`, {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  body: JSON.stringify({
    data: [{
      event_name: 'PageView',
      event_time: Math.floor(Date.now() / 1000),
      user_data: {
        em: hashEmail(email), // Hashed email
        client_ip_address: userIP,
        client_user_agent: userAgent
      },
      action_source: 'website'
    }],
    access_token: accessToken
  })
});

7. Update Privacy Policy

Disclose tracking practices:

Cross-Site Tracking

We do not engage in cross-site tracking. Our analytics cookies are first-party only and do not follow you to other websites. We use server-side tracking to measure website performance while protecting your privacy.

Cross-Domain Tracking

We link your activity across our owned properties (example.com and shop.example.com) to provide a consistent experience. This cross-domain tracking:

  • Only applies to our websites
  • Requires your consent
  • Can be disabled in your privacy preferences
  • Does not share data with third parties for tracking purposes

Third-Party Services

We use the following services that may collect data:

  • Google Analytics (first-party, anonymized)
  • [Other services with privacy safeguards]

We have configured these services to minimize data collection and disable cross-site tracking features.

Browser Protections to Understand

Safari Intelligent Tracking Prevention (ITP)

What Safari blocks:

  • Third-party cookies (completely blocked)
  • First-party cookies from trackers (7-day cap)
  • LocalStorage/IndexedDB from trackers (7-day cap)
  • Link decoration tracking (strips URL parameters)

What this breaks:

  • Cross-site retargeting
  • Attribution windows > 7 days
  • Third-party login widgets (workaround: Storage Access API)

How to adapt:

  • Use first-party cookies only
  • Implement server-side tracking
  • Reduce attribution window or use modeled conversions
  • Request Storage Access API for legitimate cross-site needs

Firefox Enhanced Tracking Protection

Strict mode blocks:

  • Cross-site tracking cookies
  • Cryptominers
  • Fingerprinting scripts
  • Social media trackers

Standard mode blocks:

  • Known trackers in private browsing
  • Third-party cookies from trackers

How to adapt:

  • Same as Safari: first-party + server-side
  • Don't rely on third-party cookies
  • Use privacy-preserving measurement

Chrome Privacy Sandbox

Third-party cookies deprecation (2024-2025):

  • Phasing out third-party cookies
  • Replacing with Privacy Sandbox APIs
  • Topics, FLEDGE, Attribution Reporting

How to prepare:

  • Test Privacy Sandbox APIs
  • Implement Topics API for interest targeting
  • Use Attribution Reporting for conversion measurement
  • Migrate to first-party/server-side tracking

Testing Your Privacy Posture

  1. Run privacy audits:

    • Ghostery tracker count
    • Privacy Badger detection
    • uBlock Origin third-party requests

  2. Test in privacy-focused browsers:

    • Safari (ITP enabled by default)
    • Firefox (Enhanced Protection)
    • Brave (Shields up)

  3. Verify no cross-site cookies:

    • Check all cookies are your domain
    • Verify SameSite attributes
    • Test cookie behavior across browsers

  4. Check fingerprinting surface:

    • Run AmIUnique test
    • Check BrowserLeaks results
    • Minimize unique fingerprint data

Platform-Specific Guides

Platform Guide
Shopify Shopify Privacy & Tracking
WordPress WordPress Privacy Settings
Wix Wix Tracking Configuration
Squarespace Squarespace Cookie Settings
Webflow Webflow Privacy Setup
Magento Magento Cookie Control

Compliance Checklist

  • No third-party tracking cookies without consent
  • All cookies have SameSite attribute
  • No browser fingerprinting scripts
  • Cross-domain tracking disclosed in privacy policy
  • Cross-domain tracking only on owned properties
  • Server-side tracking configured (if applicable)
  • Tested in Safari, Firefox, Brave
  • Privacy Sandbox APIs evaluated
  • Attribution windows realistic for browser limits
  • User opt-out mechanisms working
  • Do Not Track signals respected (optional but recommended)

Further Reading

↑ Back to top
// SYS.FOOTER