Making Tracking Protection Lists Available From Your Web Site

Any site can offer Tracking Protection Lists (TPLs) to help consumers protect their privacy. This post shows you how to make a TPL available from your site. For example, clicking here in IE9 will add the list from the EasyPrivacy.

A word about Tracking Protection Lists

Tracking Protection Lists are similar in concept to the lists behind the AdBlockPlus add-in for Firefox. The main differences are that TPLs are built in to IE, the W3C is working through the standardization process of their format, and adding a TPL in IE sends the DNT header (link).

Technically, TPLs are just text files that can be hosted on any Web server and linked to from any Web page, like an RSS feed for a blog. You can find TPLs at several different sites, like the IE gallery site (linked to from the Manage Add-ons dialog within IE), the EasyList Web site, or on other sites like this one.

How to link to a Tracking Protection List

Let’s use the EasyPrivacy TPL as our example. The TPL is located on the EasyList webserver at Following that link in any browser will show the contents of that list… useful for privacy enthusiasts, but not as much for consumers who want to add the list.

Internet Explorer 9 includes a JavaScript API, msAddTrackingProtectionList (link), to do this:

<a href=”javascript:window.external.msAddTrackingProtectionList(‘’, ‘EasyList Privacy’)”>EasyPrivacy TPL</a>

Clicking on this link results in a user confirmation prompt:

Dialog confirming the addition of a Tracking Protection List

This makes sure that the consumer really wanted the list, and that the site isn’t installing it without user consent. This is like a pop-up blocker against unwanted TPLs.

For security reasons, msAddTrackingProtectionList can only be called from places in your page that are associated with a user interaction – buttons, links, forms, etc. are all fine. It can’t be called on page load automatically. Another benefit of using a JavaScript API is that you can easily deploy a TPL from your Web site without having to change your server configuration; for example, no custom MIME types are required.

If you’re passionate about privacy, consider adding a link to your favorite TPL on your own Web site.

—Andy Zeigler, Program Manager, Internet Explorer

Comments (12)

  1. Anonymous says:

    What if I want to use tracking protection lists, but I don't want to send the DNT header?  I feel that the DNT header actually makes me _easier_ to track since so few users have enabled it.  On the other hand, tracking protection lists don't have the same downside because tracking entities should never know that I have a TPL active.  So, is there a way to override the DNT header behavior while keeping TPLs active?

  2. Anonymous says:

    Dear IE staff: Will it be possible to have a user-editable TPL list in the future? And by that I don't mean the automatic values in IE9, but by user-addable blocklists and whitelists, which include not just images and urls but different selectable x/html elements (embed, div, span), or blocks based on the CLASS or ID of a specific elements, and so on.

    So, for example, the ability to block all divs on all sites where there is an element with ID="adwindow",


    to block all CLASS="adpopup" on all DIV elements but only on the site

    and so on. The ability to manually whitelist / blacklist things is a serious setback.

    Also, statistics for blocked items can be useful on knowing what entries in the TPL lists actually do their job.

  3. Anonymous says:

    Powerful feature you are asking.. but I doubt more than 1 in 1000 IE users will care to use it or even know how to use it fully. So I have my doubts about Microsoft actually implementing it. Will be cool if they do it though.

  4. Anonymous says:

    We're offering several protection lists especially for Germany on our German Web site using the method described in this post. Lots of our users were surprised how easy it is to add lists to IE this way. In fact, many of them didn't even know before that such a feature (Tracking Protection) exists in IE9. So, thank you for providing a method to add new list with a simple script.

    However, we've got several responses where people were skeptical due to the look of the dialog box pictured above, and they feared it was a spoof. Well, I have to agree because the dialog box doesn't look like one might expect: For example, the color of the header is not the original blue that Windows Aero uses, the dialog font is not Segoe UI 9pt, there is a white background around the edges of the buttons, and a white background is visible at the bottom of the window. In addition, I've seen clipping problems when the name of the list is quite long.

    May I suggest using the TaskDialogIndirect API to implement the dialog box instead? It would provide the native, real Windows look, and it would resolve all the issues I mentioned. TaskDialogIndirect supports all the controls being used in the current version of the dialog box, and the implementation might even be easier.


    PS: I look forward seeing more usage of task dialogs in IE10. For example, the Close Tabs confirmation dialog box could be replaced with a nice task dialog, too.

  5. Quppa says:

    @Roland: my thoughts exactly. I guess the IE team made their own TaskDialog (NIH syndrome?). Now that they don't have to support XP, is there any reason to avoid using that API?

  6. Anonymous says:

    In completely unrelated news, CSS 2.1 just became an official W3C recommendation.

    Is there a way to view the results of the CSS 2.1 test suite? The RC2 results shown by Gérard Talbot were that IE9 nuked its competitors, but right now there seems to be no official results (a.k.a. results of 100% of the tests with the latest browser versions)

  7. Anonymous says:

    JSNES is a port of vNES to JavaScript, inspired by Matt Wescott’s JSSpeccy

    JavaScript emulator for SNES:…/jsnes

  8. Anonymous says:

    I have compiled an ad blocking TPL based on EasyList. You can download it here:

  9. Anonymous says:

    anyone else have trouble getting to the drivers section of HP's website?  I have it with multiple machines, multiple locations and multiple versions of OS and IE.  every other browser works except IE.

  10. Anonymous says:

    Although I see this concept of "voluntary" privacy settings as utterly futile (many sites can't figure out how to avoid SQL Injection – how on earth are you expecting them to voluntarily exclude tracking any user info).. however I see a much bigger issue at hand.

    Once again MSFT has tried to push something as a standard that is IE-only.

    If MSFT wants anyone to take them seriously, they will take the ".msTrackingProtectionEnabled();" off of the IE-only "window.external" object and put it in a common place like Firefox did.

    //correct namespace!


    Likewise, rename the feature to "doNotTrack" as the "ms" prefix indicates you have no intention of making this a shared browser concept.

    The biggest part of Web Standards that Microsoft *REFUSES* to understand is that consistency is the biggest issue for Web Developers.  No serious Web Developer *EVER* wants to go into window.external because this is a backdoor out of the browser sandbox into things that 99.9% of the time have NOTHING to do with JavaScript / The Standard Web.

    Every time I come in to fix up a web app and I see "window.external" I shudder knowing that there is much work to do to get the app back into Web Standards.  Its almost as bad as seeing "On Error Resume Next" – a tell tale sign of poor quality code.

  11. Anonymous says:

    não  consigo  entrar  nomeu orkut  tentei  fazer   outro ,é inútil senha  crreta  e  edereço  também,oque  está  acontecendo o  refinamento  de  senha  não funciona,  oque  está errado

  12. Anonymous says:

    W3C encourages browsers to use vendor prefixes to web standards under development. It's presumptuous for a browser NOT to.

    Maybe a better question is why Moz's page doesn't do the href thing right?