Are you sitting down? Because there’s some news that actually isn’t related to the coronavirus.
After years of moving in this direction, Apple said Tuesday that all third-party cookies for cross-site tracking will be blocked by default in Safari 13.1 for iOS and macOS.
You’d be forgiven for scratching your head and saying, “Wait a sec, weren’t third-party cookies already blocked in Safari as part of Intelligent Tracking Prevention?”
The answer is yes. What’s new is Safari going full nuclear on workarounds. It’s been a cat-and-mouse game between trackers and Safari for a while, but ITP means business.
In a blog post, WebKit security engineer John Wilander put it like so: “This is a significant improvement for privacy since it removes any sense of exceptions or [that] ‘a little bit of cross-site tracking is allowed.’”
WebKit will share its experiences with unmitigated third-party cookie blocking with privacy groups within W3C “to help other browsers take the leap,” Wilander wrote.
Chrome said earlier this year that it’s planning to deprecate third-party cookies in its browser beginning in 2022.
Here are a few of the exploits WebKit is cracking down on:
- Ironically, the way in which a tracking prevention method is carried out can in some cases be manipulated to track a person across sites. Full third-party cookie blocking ensures that there is no ITP state that can be detected through cookie-blocking behavior. Basically, trackers won’t be able to use what is being blocked as a signal for tracking.
- Login fingerprinting, which allows sites to see where a user was previously logged in, will no longer be possible. Aka, no leakage of a user’s login state across sites.
- Last year, Apple announced that all client-side cookies would expire after seven days. (Later, this became 24 hours.) As expected, third-party scripts reacted by simply moving to other means of first-party storage, such as LocalStorage, which uses JavaScript to store information on the client side and never expires. Well, now there will be a seven-day cap on all script-writable storage too.
Click here to read the full blog post.