Safari in New Versions of iOS and macOS Includes Full Third-Party Cookie Blocking

[MacRumors]

Safari in macOS 10.15.4 and iOS and iPadOS 13.4 includes enhancements to Apple's Intelligent Tracking Prevention feature that allow for full third-party cookie blocking, Apple's WebKit team said today in a new blog post.

Cookies for cross-site resources are blocked by default in the new versions of Safari, introducing significant privacy improvements because it further cuts down on cross-site tracking functionality.

It might seem like a bigger change than it is. But we've added so many restrictions to ITP since its initial release in 2017 that we are now at a place where most third-party cookies are already blocked in Safari. To keep supporting cross-site integration, we shipped the Storage Access API two years ago to provide the means for authenticated embeds to get cookie access with mandatory user control. It is going through the standards process in the W3C Privacy Community Group right now.

The new cookie blocking feature makes sure there's no Intelligent Tracking Prevention state that can be detected through cookie blocking behavior as it removes statefulness, and it also prevents an attacker from seeing ITP status.

Safari's default cookie policy requires a third-party to have "seeded" its cookie jar as first-party before it can use cookies as third-party. This means the absence of cookies in a third-party request can be due to ITP blocking existing cookies or the default cookie policy blocking cookies because the user never visited the website, the website's cookies have expired, or because the user or ITP has explicitly deleted the website's cookies.

Thus, the absence of cookies in a third-party request outside the attacker's control is not proof that the third-party domain is classified by ITP.

Safari is the first mainstream browser to fully block third-party cookies by default, and Apple's WebKit team wants to pave the way for other browsers to do the same, so it plans to report on the experiences of full third-party cookie blocking to W3C privacy groups in an effort to help other browsers make the change as well.

More info on the changes implemented in Safari for iOS, iPadOS, and macOS today can be found in the full blog post.

Article Link: Safari in New Versions of iOS and macOS Includes Full Third-Party Cookie Blocking

 

[now i see it]

Private Mode browsing works even better

 

[zorinlynx]

Private Mode browsing works even better

Can websites still detect it though? I know there was some issues with some sites telling you that you couldn't browse in private mode, particularly newspapers that give you X "free" articles per month and use cookies to track this.

I don't like websites to be able to detect private mode, it goes beyond wanting to read free articles.

 

[John.B]

It's like a game of whack-a-mole, but I appreciate Apple pressing the issue.

 

[BWhaler]

Thank you Apple and the Webkit Team.

While no company is perfect, it is a true gift to have the largest and best consumer tech company care so much about our privacy. There’s more money in selling us out, so I am grateful for the people of Apple taking a stand on principle.

 

[nexu]

Private Mode browsing works even better

Why?

 

[xxray]

Thank you Apple. Please continue to find new ways to protect our privacy.

 

[I7guy]

It's like a game of whack-a-mole, but I appreciate Apple pressing the issue.

Exactly. I appreciate the focus on privacy as much as can be expected, by browsing the web.

 

[H2SO4]

Can websites still detect it though? I know there was some issues with some sites telling you that you couldn't browse in private mode, particularly newspapers that give you X "free" articles per month and use cookies to track this.

I don't like websites to be able to detect private mode, it goes beyond wanting to read free articles.

I don't, (think), have a problem with it. There is no such thing as free. You always pay maybe not with money but there is certainly a price.

 

[az431]

I don't, (think), have a problem with it. There is no such thing as free. You always pay maybe not with money but there is certainly a price.

It is possible for something to be free without strings attached, and it is possible to offer a free service without requiring someone to abandon their privacy.

 

[nvmls]

While at it, built-in Ad blocker any chance?

 

[now i see it]

In Private Mode, a cookie will be set by the website you visit if they use cookies but it's not retained. When you leave the page, the cookie/s automatically get deleted.
Check for yourself.
First delete all cookies in safari settings then visit a bunch of websites - then go back to settings and behold the horrorshow of tracking cookies you collected.
Then delete them all again and turn on Private Mode in safari and visit those websites again. Then check your cookie jar in safari settings - you'll see there's no cookies in there.

Private Mode does break some web pages. They won't function properly with its turned on. Then switch to normal browsing for those sites as needed (and delete your cookies afterwards if you're all done with them)

 

[farewelwilliams]

Apple should have its own built-in VPN service.

 

[Twilbo]

And just like that website advertising revenue crumbles

 

[Dave-Z]

A good move. I've been blocking all third-party cookies on my desktop systems for a while. There's absolutely no reason for third-party cookies.

 

[Twilbo]

So you are happy for sites like this to go under as their advertising revenue dries up?

 

[Digital Dude]

Trivia: I haven't used Safari is months due to how slow it runs compared to Microsoft Edge. So, after updating to 10.15.4, I figured I'd give it another try. It's still slower than Edge, but what the heck. So, I tried to apply an Apple Store order change, but it didn't work. I logged in as usual, with no problem. Then I could see my order just fine. If I want to apply changes, I'm required to sign in again for that specific task, and this is where the blank screen shows up. I ended up using my iPhone (13.4) to solve the issue. Perhaps it's just an Apple Store issue, but it's still slower than Edge.

 

[nexu]

In Private Mode, a cookie will be set by the website you visit if they use cookies but it's not retained. When you leave the page, the cookie/s automatically get deleted.
Check for yourself.
First delete all cookies in safari settings then visit a bunch of websites - then go back to settings and behold the horrorshow of tracking cookies you collected.
Then delete them all again and turn on Private Mode in safari and visit those websites again. Then check your cookie jar in safari settings - you'll see there's no cookies in there.

Private Mode does break some web pages. They won't function properly with its turned on. Then switch to normal browsing for those sites as needed (and delete your cookies afterwards if you're all done with them)

Yeah, it works. Thanks

 

[nutmac]

Unfortunately, this option is breaking Google Classroom. All attachments are failing unless you disable "Prevent cross-site tracking" option.

Ironically, Apple is thanking Google on their blog post.

 

[Westside guy]

Next step should be to provide an optional block/allow for even first-party scripts on a per-site basis - similar to Purify on iOS or NoScript on Firefox.

 

[jpn]

Next step should be to provide an optional block/allow for even first-party scripts on a per-site basis - similar to Purify on iOS or NoScript on Firefox.

i would like to see a way for clearing history to remove all cookies except for ones that have been given special protected status - and those cookies are not removed when you clear all history. and, i want to be able to set a timed history clearing that's done automatically like every 30 or 60 minutes.

 

[Westside guy]

Unfortunately, this option is breaking Google Classroom. All attachments are failing unless you disable "Prevent cross-site tracking" option.

This is probably on Google, not Apple. Apple‘s release note specifically mentions OAuth2 as a way to work within the new security model. Which, incidentally, is exactly what Google requires for third-party access to its own services (such as when you add your Google calendar to the Apple calendar app).

 

[LV426]

Can websites still detect it though? I know there was some issues with some sites telling you that you couldn't browse in private mode, particularly newspapers that give you X "free" articles per month and use cookies to track this.

I don't like websites to be able to detect private mode, it goes beyond wanting to read free articles.

Try it, in Private Mode, by going to the Panopticlick test site.

 

[SantaFeNM]

i would like to see a way for clearing history to remove all cookies except for ones that have been given special protected status - and those cookies are not removed when you clear all history. and, i want to be able to set a timed history clearing that's done automatically like every 30 or 60 minutes.

GREAT idea!

 

[firewood]

i would like to see a way for clearing history to remove all cookies except for ones that have been given special protected status - and those cookies are not removed when you clear all history.

Did you submit an enhancement request via Apples bug reporter system?