Safari in New Versions of iOS and macOS Includes Full Third-Party Cookie Blocking

MacRumors

macrumors bot
Original poster
Apr 12, 2001
47,587
9,378


Safari in macOS 10.15.4 and iOS and iPadOS 13.4 includes enhancements to Apple's Intelligent Tracking Prevention feature that allow for full third-party cookie blocking, Apple's WebKit team said today in a new blog post.

Cookies for cross-site resources are blocked by default in the new versions of Safari, introducing significant privacy improvements because it further cuts down on cross-site tracking functionality.
It might seem like a bigger change than it is. But we've added so many restrictions to ITP since its initial release in 2017 that we are now at a place where most third-party cookies are already blocked in Safari. To keep supporting cross-site integration, we shipped the Storage Access API two years ago to provide the means for authenticated embeds to get cookie access with mandatory user control. It is going through the standards process in the W3C Privacy Community Group right now.
The new cookie blocking feature makes sure there's no Intelligent Tracking Prevention state that can be detected through cookie blocking behavior as it removes statefulness, and it also prevents an attacker from seeing ITP status.
Safari's default cookie policy requires a third-party to have "seeded" its cookie jar as first-party before it can use cookies as third-party. This means the absence of cookies in a third-party request can be due to ITP blocking existing cookies or the default cookie policy blocking cookies because the user never visited the website, the website's cookies have expired, or because the user or ITP has explicitly deleted the website's cookies.

Thus, the absence of cookies in a third-party request outside the attacker's control is not proof that the third-party domain is classified by ITP.
Safari is the first mainstream browser to fully block third-party cookies by default, and Apple's WebKit team wants to pave the way for other browsers to do the same, so it plans to report on the experiences of full third-party cookie blocking to W3C privacy groups in an effort to help other browsers make the change as well.

More info on the changes implemented in Safari for iOS, iPadOS, and macOS today can be found in the full blog post.

Article Link: Safari in New Versions of iOS and macOS Includes Full Third-Party Cookie Blocking
 

zorinlynx

macrumors 603
May 31, 2007
5,814
7,440
Florida, USA
Private Mode browsing works even better
Can websites still detect it though? I know there was some issues with some sites telling you that you couldn't browse in private mode, particularly newspapers that give you X "free" articles per month and use cookies to track this.

I don't like websites to be able to detect private mode, it goes beyond wanting to read free articles.
 

BWhaler

macrumors 68030
Jan 8, 2003
2,917
3,111
Thank you Apple and the Webkit Team.

While no company is perfect, it is a true gift to have the largest and best consumer tech company care so much about our privacy. There’s more money in selling us out, so I am grateful for the people of Apple taking a stand on principle.
 

H2SO4

macrumors 601
Nov 4, 2008
4,482
4,367
Can websites still detect it though? I know there was some issues with some sites telling you that you couldn't browse in private mode, particularly newspapers that give you X "free" articles per month and use cookies to track this.

I don't like websites to be able to detect private mode, it goes beyond wanting to read free articles.
I don't, (think), have a problem with it. There is no such thing as free. You always pay maybe not with money but there is certainly a price.
 
  • Like
Reactions: Digital Dude

now i see it

macrumors 601
Jan 2, 2002
4,672
9,237
In Private Mode, a cookie will be set by the website you visit if they use cookies but it's not retained. When you leave the page, the cookie/s automatically get deleted.
Check for yourself.
First delete all cookies in safari settings then visit a bunch of websites - then go back to settings and behold the horrorshow of tracking cookies you collected.
Then delete them all again and turn on Private Mode in safari and visit those websites again. Then check your cookie jar in safari settings - you'll see there's no cookies in there.

Private Mode does break some web pages. They won't function properly with its turned on. Then switch to normal browsing for those sites as needed (and delete your cookies afterwards if you're all done with them)
 

Twilbo

macrumors newbie
Mar 24, 2020
2
0
So you are happy for sites like this to go under as their advertising revenue dries up?
 

Digital Dude

macrumors 6502a
Trivia: I haven't used Safari is months due to how slow it runs compared to Microsoft Edge. So, after updating to 10.15.4, I figured I'd give it another try. It's still slower than Edge, but what the heck. So, I tried to apply an Apple Store order change, but it didn't work. I logged in as usual, with no problem. Then I could see my order just fine. If I want to apply changes, I'm required to sign in again for that specific task, and this is where the blank screen shows up. I ended up using my iPhone (13.4) to solve the issue. Perhaps it's just an Apple Store issue, but it's still slower than Edge.
 
Last edited:

nexu

macrumors member
Feb 24, 2017
68
111
In Private Mode, a cookie will be set by the website you visit if they use cookies but it's not retained. When you leave the page, the cookie/s automatically get deleted.
Check for yourself.
First delete all cookies in safari settings then visit a bunch of websites - then go back to settings and behold the horrorshow of tracking cookies you collected.
Then delete them all again and turn on Private Mode in safari and visit those websites again. Then check your cookie jar in safari settings - you'll see there's no cookies in there.

Private Mode does break some web pages. They won't function properly with its turned on. Then switch to normal browsing for those sites as needed (and delete your cookies afterwards if you're all done with them)
Yeah, it works. Thanks
 

nutmac

macrumors 601
Mar 30, 2004
4,427
2,412
Unfortunately, this option is breaking Google Classroom. All attachments are failing unless you disable "Prevent cross-site tracking" option.

Ironically, Apple is thanking Google on their blog post.
 

niji

Contributor
Feb 9, 2003
1,752
1,504
tokyo
Next step should be to provide an optional block/allow for even first-party scripts on a per-site basis - similar to Purify on iOS or NoScript on Firefox.
i would like to see a way for clearing history to remove all cookies except for ones that have been given special protected status - and those cookies are not removed when you clear all history. and, i want to be able to set a timed history clearing that's done automatically like every 30 or 60 minutes.
 

Westside guy

macrumors 603
Oct 15, 2003
5,518
2,469
The soggy side of the Pacific NW
Unfortunately, this option is breaking Google Classroom. All attachments are failing unless you disable "Prevent cross-site tracking" option.
This is probably on Google, not Apple. Apple‘s release note specifically mentions OAuth2 as a way to work within the new security model. Which, incidentally, is exactly what Google requires for third-party access to its own services (such as when you add your Google calendar to the Apple calendar app).
 
  • Like
Reactions: iGeneo and niji

LV426

macrumors 6502a
Jan 22, 2013
918
385
Can websites still detect it though? I know there was some issues with some sites telling you that you couldn't browse in private mode, particularly newspapers that give you X "free" articles per month and use cookies to track this.

I don't like websites to be able to detect private mode, it goes beyond wanting to read free articles.
Try it, in Private Mode, by going to the Panopticlick test site.
 
  • Like
Reactions: iGeneo

SantaFeNM

macrumors member
Oct 13, 2012
45
42
Santa Fe, NM
i would like to see a way for clearing history to remove all cookies except for ones that have been given special protected status - and those cookies are not removed when you clear all history. and, i want to be able to set a timed history clearing that's done automatically like every 30 or 60 minutes.
GREAT idea!
 
  • Like
Reactions: firewood

firewood

macrumors 604
Jul 29, 2003
7,735
956
Silicon Valley
i would like to see a way for clearing history to remove all cookies except for ones that have been given special protected status - and those cookies are not removed when you clear all history.
Did you submit an enhancement request via Apples bug reporter system?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.