We are not presently manually curating a specifically targeted mitigations list. Just saying we might in the future. We did do a one shot rollback of HSTS super cookie abuse in the past, but that’s it.
The bad actors just need to open their own website in webkit to check if they are being blocked in some way. They will always know if a particular tracking strategy they are using is not working. So there is no harm in making the list public.
The benefit of making the list public is that blocking tech is in some sense of the word censorship. The public needs to know who is being blocked to ensure transparency and to ensure that WebKit is not using their blocking technology nefariously.
An open-source program can easily use a closed-source blocking list. For example, the blocking list could be distributed as a list of hashes, and the program hashes the domain name to search for it in the list.
Sure but that's why I asked if the blocking tech was open source as well, but I probably didn't ask it very clearly. I couldn't tell from the linked page whether the tech (whether lists or algorithms) were closed or open, but if it's the latter wouldn't that be enough disclosure?
The linked page is primarily based on tech in the WebKit open source tree. However, some protections depend on support in underlying layers. WebKit's strategy is to use the platform-native versions of things like the network stack and font loading.
