Along with the launch of iOS 13, iPadOS, and Safari 13, Apple announced a major update for analysts: the new ITP 2.3.
With the previous update, ITP 2.2, Apple focused mostly on the abuse of so-called link decoration for the purposes of cross-site tracking. With ITP 2.2, when a webpage is navigated from a domain classified by ITP and the landing URL has a query string or fragment, the expiry of persistent client-side cookies created on that page is 24 hours.
However, Apple states that according to recent data, the changes did not have the sought after results, and some websites continued to abuse link decoration. With ITP 2.3, Apple is trying to take extra steps to ensure their objective is fulfilled.
You can also check Apple’s ITP 2.1 Impacts on Adobe Experience Cloud and Google Marketing Platform
What’s New With ITP 2.3
First and foremost, ITP 2.3 introduces capped lifetime for all script-writeable website data. Ever since the introduction of ITP 2.2, several trackers have announced their move from first-party cookies to alternate first-party storage, such as LocalStorage. Apple explains that ITP 2.3 counteracts this in the following ways:
- website.example will be marked for non-cookie website data deletion if the user is navigated from a domain classified with cross-site tracking capabilities to a final URL with a query string and/or a fragment identifier, such as website.example?clickID=0123456789.
- After seven days of Safari use without the user interacting with a webpage on website.example, all of website.example’s non-cookie website data is deleted.
This effectively removes trackers’ ability to use link decoration, combined with long-term first-party website data storage to track users. In other words, ITP 2.3 caps the lifetime of all script-writeable website data after a navigation with link decoration from a classified domain.
“The reason why we cap the lifetime of script-writable storage is simple. Site owners have been convinced to deploy third-party scripts on their websites for years. Now those scripts are being repurposed to circumvent browsers’ protections against third-party tracking. By limiting the ability to use any script-writeable storage for cross-site tracking purposes, ITP 2.3 makes sure that third-party scripts cannot leverage the storage powers they have gained over all these websites,” Apple explains.
Apple also discovered that some trackers, instead of decorating the link of the destination page, decorate their own referrer URL and read the tracking ID through document.referrer on the destination page. With ITP 2.3, Safari will counteract this by downgrading document.referrer to the referrer’s eTLD+1 (effective top-level domain) if the referrer has link decoration and the user was navigated from a classified domain.
ITP 2.3 Brings Updates to the Storage Access API
With ITP 2.3, Safari announces that Storage Access API only consumes the user gesture (tap or click) when the user explicitly denies access (i.e., when the user is prompted and picks “Don’t allow”). Previously, the gesture was also consumed when the promise was rejected without a user prompt, such as when the requesting domain was classified by ITP and had not received user interaction as a first-party website the last 30 days of Safari use. This meant the user had to tap or click again to be shown a popup to log into the third-party service.
Some services are requesting storage access on every click or tap, regardless of previous interactions with the user. To counter such repeated prompting, WebKit’s implementation of the Storage Access API will now automatically reject the request for storage access for documents where the user has picked “Don’t Allow” in the prompt twice.
ITP Debug Mode in Safari on macOS Catalina
Safari 13 on macOS includes ITP Debug Mode. It’s been available in Safari Technology Preview for quite some time but now it’s available in regular Safari so that you can debug your websites with the same Safari your customers are using.
Classifying a Custom Domain for Testing
With ITP Debug Mode and User Defaults, you can manually set a custom domain as permanently classified with tracking capabilities. Here’s how you achieve this for a domain called website.example:
- Open System Preferences, click Security & Privacy, and unlock the padlock to be able to make changes.
- Pick the Full Disk Access category to the left.
- Use the + button to add the Terminal application to the list and make sure its checkbox is ticked.
- Open Terminal and execute the following command: defaults write com.apple.Safari ITPManualPrevalentResource website.example
- Go back to Security & Privacy in System Preferences and untick the checkbox for Terminal to not allow it permanent full disk access.
Apple first introduced Intelligent Tracking Prevention v1.0 in September 2017. ITP is a Safari feature that was originally designed to reduce cross-site tracking by limiting the storage of 3rd-party cookies.
The ability to fetch resources such as images or scripts from different domains is one of the most powerful web features, commonly referred to as cross-origin or cross-site loading. However, the same feature also enables cross-site tracking of users using first or third-party cookies, which could be a privacy concern.
With the recent changes, Apple tries to get ahead of any privacy concerns and prohibit any intrusive tracking that may negatively impact the customer experience. We’re expecting this is only the beginning, and all major browsers will soon adopt similar measures.