Safari Enables Full-On Third-Party Cookie Blocking By Default (Aka, No More Workarounds Ever)

Are you sitting down? Because there’s some news that actually isn’t related to the coronavirus.

After years of moving in this direction, Apple said Tuesday that all third-party cookies for cross-site tracking will be blocked by default in Safari 13.1 for iOS and macOS.

You’d be forgiven for scratching your head and saying, “Wait a sec, weren’t third-party cookies already blocked in Safari as part of Intelligent Tracking Prevention?”

The answer is yes. What’s new is Safari going full nuclear on workarounds. It’s been a cat-and-mouse game between trackers and Safari for a while, but ITP means business.

In a blog post, WebKit security engineer John Wilander put it like so: “This is a significant improvement for privacy since it removes any sense of exceptions or [that] ‘a little bit of cross-site tracking is allowed.’”

WebKit will share its experiences with unmitigated third-party cookie blocking with privacy groups within W3C “to help other browsers take the leap,” Wilander wrote.

Chrome said earlier this year that it’s planning to deprecate third-party cookies in its browser beginning in 2022.

Here are a few of the exploits WebKit is cracking down on:

  • Ironically, the way in which a tracking prevention method is carried out can in some cases be manipulated to track a person across sites. Full third-party cookie blocking ensures that there is no ITP state that can be detected through cookie-blocking behavior. Basically, trackers won’t be able to use what is being blocked as a signal for tracking.
  • Login fingerprinting, which allows sites to see where a user was previously logged in, will no longer be possible. Aka, no leakage of a user’s login state across sites.
  • Last year, Apple announced that all client-side cookies would expire after seven days. (Later, this became 24 hours.) As expected, third-party scripts reacted by simply moving to other means of first-party storage, such as LocalStorage, which uses JavaScript to store information on the client side and never expires. Well, now there will be a seven-day cap on all script-writable storage too.

Click here to read the full blog post.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!