Security Experts:

Apple Enables Full Third-Party Cookie Blocking in Safari

Apple this week announced that third-party cookies are now blocked by default in Safari on macOS, iOS and iPadOS.

The feature represents the latest enhancement the Cupertino-based company brought to its Intelligent Tracking Prevention (ITP) and is meant to improve the privacy of its users by removing previously accepted exceptions.

Due to continuous improvements made to ITP, most third-party cookies were already blocked in Safari, but other browser makers are also moving toward blocking cookies by default, and Apple decided to make the final step before others.

“Full third-party cookie blocking removes statefulness in cookie blocking. […] Full third-party cookie blocking makes sure there’s no ITP state that can be detected through cookie blocking behavior,” Apple says.

Cookies, the company argues, “allow for cross-site leakage of user information such as login fingerprinting,” and blocking them eliminates that.

Additionally, blocking third-party cookies disables cross-site request forgery attacks against websites through third-party requests, removes the possibility to identify users through an auxiliary third-party domain, and simplifies development, through the use of the Storage Access API for cookie access as third-party.

Website admins that will rely on third-party cookies in Safari are advised to use OAuth 2.0 authorization or the Storage Access API to ensure their domains still work for users, or apply a previously detailed temporary compatibility fix.

The full third-party cookie blocking also means that, once a “request is blocked from using cookies, all redirects of that request are also blocked from using cookies.”

Now Safari is also deleting all of a website’s script-writable storage if the user hasn’t navigated to that website for seven days, but they used Safari to navigate to other sites. The script-writable storage forms impacted include Indexed DB, LocalStorage, Media keys, SessionStorage, and Service Worker registrations.

Additionally, Apple announced that all cross-site document.referrers are downgraded to their origin, just as it happens to cross-site referrer request headers at the moment, and that Safari can now detect both instant bounces and delayed navigation redirects.

“We encourage all developers to regularly test their websites with Safari Technology Preview (STP) and our betas of iOS, iPadOS, and macOS. Major changes to ITP and WebKit in general are included in the betas and STP, typically months before shipping,” Apple also notes.

Related: Safari's Intelligent Tracking Prevention Fails to Prevent Tracking

Related: How Apple's Safari Browser Will Try to Thwart Data Tracking

view counter