Safari in macOS 10.15.4

Tuesday, March 24, 2020 3:51 PM

Safari in macOS 10.15.4 and iOS and ipadOS 13.4 includes enhancements to Apple's Intelligent Tracking Prevention feature that allow for full third-party cookie blocking, Apple's WebKit team said today in a new blog post.

Cookies for cross-site resources are blocked by default in the new versions of Safari, introducing significant privacy improvements because it further cuts down on cross-site tracking functionality.

It might seem like a bigger change than it is. But we've added so many restrictions to ITP since its initial release in 2017 that we are now at a place where most third-party cookies are already blocked in Safari. To keep supporting cross-site integration, we shipped the Storage Access API two years ago to provide the means for authenticated embeds to get cookie access with mandatory user control. It is going through the standards process in the W3C Privacy Community Group right now.

The new cookie blocking feature makes sure there's no Intelligent Tracking Prevention state that can be detected through cookie blocking behavior as it removes statefulness, and it also prevents an attacker from seeing ITP status.

Safari's default cookie policy requires a third-party to have "seeded" its cookie jar as first-party before it can use cookies as third-party. This means the absence of cookies in a third-party request can be due to ITP blocking existing cookies or the default cookie policy blocking cookies because the user never visited the website, the website's cookies have expired, or because the user or ITP has explicitly deleted the website's cookies.

Thus, the absence of cookies in a third-party request outside the attacker's control is not proof that the third-party domain is classified by ITP.

Safari is the first mainstream browser to fully block third-party cookies by default, and Apple's WebKit team wants to pave the way for other browsers to do the same, so it plans to report on the experiences of full third-party cookie blocking to W3C privacy groups in an effort to help other browsers make the change as well.