A blog post by Cory Underwood inspired me to poke around in the macOS Sonoma beta to discover more details about the new Link Tracking Protection in Safari 17. From Apple's press release:
Link Tracking Protection in Messages, Mail, and Safari Private Browsing
Some websites add extra information to their URLs in order to track users across other websites. Now this information will be removed from the links users share in Messages and Mail, and the links will still work as expected. This information will also be removed from links in Safari Private Browsing.
According to Underwood's blog post, "It appears that the policy that Safari leverages for which parameters to removed is loaded via a remote service", and this appears to be correct! I found several relevant files inside a new directory that doesn't exist on Ventura:
$(getconf DARWIN_USER_CACHE_DIR)com.apple.WebPrivacyYou might know DARWIN_USER_CACHE_DIR better as
In particular there's a QUERY_PARAM.wplist file that contains a list of URL query parameters to be removed. This list currently comprises 25 of the usual suspects, click identifiers such as fbclid (Facebook), gclid (Google), and msclkid (Microsoft).
Incidentally, most of these parameters, and others not on Apple's list, are already automatically removed by my Safari extension StopTheMadness.
As an experiment, I disabled my wifi, deleted the com.apple.WebPrivacy directory, and logged out. Lo and behold, Safari private browsing Link Tracking Protection stopped working! Then after I re-enabled my wifi, Link Tracking Protection started working again, and I found that the com.apple.WebPrivacy directory had been recreated. Q.E.D.
I've been informed by a reliable source that Apple's QUERY_PARAM.wplist list of tracking query parameters came from PrivacyTests.org.