Apple is taking the Privacy Revolution one step further and announced that cookies for cross-site resources are now blocked by default on Safari.
This is a significant improvement for privacy because it removes any sense of exceptions or “a little bit of cross-site tracking is allowed.”
Since the initial release of ITP (Intelligent Tracking Prevention) in 2017, Safari incrementally added restrictions to what digital properties can track, so the recent change does not come as a big surprise since most third-party cookies were already blocked.
ITP is a privacy feature that detects which domains have the ability to track the user cross-site and either partitions the domain’s cookies or purges the website data altogether.
However, developers needed a way for embedded cross-site content to authenticate users who are already logged in to their first-party services.
To keep supporting cross-site integration, Apple came up with a practical solution in the form of Storage Access API, which allows for authenticated embeds while continuing to protect customers’ privacy by default.
What Does Third-Party Cookie Blocking Mean?
Tracking prevention or content blocking that treats web content differently based on its origin or URL risks being abused for tracking purposes. This is especially the case if the set of origins or URLs provides uniqueness to the browser and webpages can detect the differing treatment.
To combat this, Safari believes that tracking prevention features must make it nearly impossible to detect which web content and website data are treated as capable of tracking.
Full third-party cookie blocking removes statefulness in cookie blocking. The internal state of tracking prevention could be turned into a tracking vector. Full third-party cookie blocking makes sure there’s no ITP state that can be detected through cookie blocking behavior.
Basically, ITP will block all third-party requests from seeing their cookies, regardless of the classification status of the third-party domain unless the first-party website has already received user interaction.
ITP now downgrades all cross-site request referer headers to just the page’s origin. Previously, this was only done for cross-site requests to classified domains.
As an example, a request to https://images.example that would previously contain the referer header “https://store.example/baby/strollers/deluxe-stroller-navy-blue.html” will now be reduced to just “https://store.example/”.
Benefits of Full Third-Party Cookie Blocking
- Disables cross-site request forgery attacks against websites through third-party requests.
- Removes the ability to use an auxiliary third-party domain to identify users.
- Simplifies processes for developers. If developers need cookie access as a third-party, they can use the Storage Access API.
How Developers Can Comply
Safari provided a guide for websites that still rely on third-party cookies to move away from the practice and comply with the norms imposed by the new release.
There are three options developers can choose from, as explained by Apple.
Option 1: OAuth 2.0 Authorization where the authenticating domain (in this case, the third-party that expects cookies) forwards an authorization token to your website which you consume and use to establish a first-party login session with a server-set Secure and HttpOnly cookie.
Option 2: The Storage Access API where the third-party can request permission to get access to its first-party cookies.
Option 3: A temporary compatibility fix for popups. This compatibility fix allows the third-party to open a popup from your website, and by a click, that popup gains temporary cookie access under the opener page on your website. However, this option is not recommended unless developers and business owners need to save time if there is a transition period. This is not advisable because Apple plans to remove this feature in a future version of Safari.
If you need assistance with organizing your digital property, optimizing your data collection, or implementing an analytics initiative, our world-class analysts can help you gain a better understanding of your business.