Apple this week announced that third-party cookies are now blocked by default in Safari on macOS, iOS and iPadOS.
The feature represents the latest enhancement the Cupertino-based company brought to its Intelligent Tracking Prevention (ITP) and is meant to improve the privacy of its users by removing previously accepted exceptions.
Due to continuous improvements made to ITP, most third-party cookies were already blocked in Safari, but other browser makers are also moving toward blocking cookies by default, and Apple decided to make the final step before others.
“Full third-party cookie blocking removes statefulness in cookie blocking. […] Full third-party cookie blocking makes sure there’s no ITP state that can be detected through cookie blocking behavior,” Apple says.
Cookies, the company argues, “allow for cross-site leakage of user information such as login fingerprinting,” and blocking them eliminates that.
Additionally, blocking third-party cookies disables cross-site request forgery attacks against websites through third-party requests, removes the possibility to identify users through an auxiliary third-party domain, and simplifies development, through the use of the Storage Access API for cookie access as third-party.
Website admins that will rely on third-party cookies in Safari are advised to use OAuth 2.0 authorization or the Storage Access API to ensure their domains still work for users, or apply a previously detailed temporary compatibility fix.
The full third-party cookie blocking also means that, once a “request is blocked from using cookies, all redirects of that request are also blocked from using cookies.”
Now Safari is also deleting all of a website’s script-writable storage if the user hasn’t navigated to that website for seven days, but they used Safari to navigate to other sites. The script-writable storage forms impacted include Indexed DB, LocalStorage, Media keys, SessionStorage, and Service Worker registrations.
Additionally, Apple announced that all cross-site document.referrers are downgraded to their origin, just as it happens to cross-site referrer request headers at the moment, and that Safari can now detect both instant bounces and delayed navigation redirects.
“We encourage all developers to regularly test their websites with Safari Technology Preview (STP) and our betas of iOS, iPadOS, and macOS. Major changes to ITP and WebKit in general are included in the betas and STP, typically months before shipping,” Apple also notes.
Related: Safari’s Intelligent Tracking Prevention Fails to Prevent Tracking
Related: How Apple’s Safari Browser Will Try to Thwart Data Tracking

More from Ionut Arghire
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
