Apple has released an update to Intelligent Tracking Prevention (ITP) in iOS and iPadOS 13.4 and Safari 13.1 on macOS to fully block third-party cookie.
John Wilander, Apple’s WebKit engineer behind Safari’s ITP, published a blog post on Tuesday that outlined the enhancements.
The post reads, “Cookies for cross-site resources are now blocked by default across the board. This is a significant improvement for privacy since it removes any sense of exceptions or ‘a little bit of cross-site tracking is allowed.'”
Wilander also added on Twitter that this update marks a significant step “to fight cross-site tracking and make it more safe to browse the web.”
This update takes several important steps to fight cross-site tracking and make it more safe to browse the web. First of all, it paves the way. We will report on our experiences of full third-party cookie blocking to the privacy groups in W3C to help other browsers take the leap.
— John Wilander (@johnwilander) March 24, 2020
Wilander reassured that the change it’s not as big as it seems, as Apple has added so many restrictions to ITP since its initial release in 2017 that they “are now at a place where most third-party cookies are already blocked in Safari.”
This update is a huge move for Apple, as Google will only start fully blocking third-party cookies at some point in 2022.
Wilander continued by explaining this update removes statefulness from cookie blocking to make sure there’s no ITP state that can be detected through cookie blocking behaviour, and thanked Google for initiating this analysis through their report.
The update also disables login fingerprinting; disables cross-site request forgery attacks against websites through third-party requests; removes the ability to use an auxiliary third-party domain to identify users; and and simplifies things for developers who will be able to gain cookie access as third-party through the Storage Access API.