Security News > 2020 > January > Google finds privacy holes in Safari’s ITP anti-tracking system
Unexpectedly, in December, Apple published a blog thanking Google for suggesting some changes to ITP which they'd implemented in Safari as part of December's iOS 13.3, and Safari for macOS 13.0.4 updates.
Any site can issue cross-site requests, increasing the number of ITP strikes for an arbitrary domain and forcing it to be added to the user's ITP list.
By checking for the side effects of ITP triggering for a given cross-site HTTP request, a website can determine whether its domain is present on the user's ITP list; it can repeat this process and reveal ITP state for any domain.
Most alarmingly, the unique state of a user's ITP database might even be used against them as a "Fingerprint" useful for cross-site tracking.
Safari's December updates closed most of the issues in ITP but the fact that a bunch of researchers were able to punch holes in it underlines how even the most sophisticated anti-tracking system can come unstuck.