Apple has released an update to its Safari browser that blocks third-party cookies, following an announcement by Google that it would do the same for its Chrome browser.
Through the release of Safari 13.1 on Tuesday, alongside some changes to Apple’s Intelligent Tracking Prevention (ITP) in iOS and iPadOS 13.4, the company now blocks all third-party cookies by default in its browser, according to a blog post by the engineer behind Apple’s WebKit, John Wilander.
He called Safari the “first mainstream browser to do this,” acknowledging that the less widely used Tor browser already has full third-party cookie blocking, and that the Brave browser is nearly there as well.
Indeed, Apple appears to have beaten Google to the punch of blocking third-party cookies, which will prevent advertisers and online marketers from virtually following people around the web with ad-targeting cookies. Google unveiled last May in a blog post that it would provide the same functionality in Chrome, and then in January updated the timeline for the move to 2022.
In the beginning of February, Google released Chrome v80, with support for third-party cookie blocking in a feature called SameSite cookies, which will complete full rollout in about two years.
Wilander said the change for Safari seems brand-new, but it’s actually not so drastic — the browser already was blocking most third-party cookies through restrictions in ITP.
“To keep supporting cross-site integration, we shipped the Storage Access API two years ago to provide the means for authenticated embeds to get cookie access with mandatory user control,” he wrote in the post. “It is going through the standards process in the W3C Privacy Community Group right now.”
Apple’s manifestation of the feature in Safari does a few specific things, Wilander said. For one, it removes statefulness in cookie blocking, something that he acknowledged Google as identifying as an aspect that can be turned into a tracking vector.
“Full third-party cookie blocking makes sure there’s no ITP state that can be detected through cookie-blocking behavior,” Wilander wrote. “We’d like to again thank Google for initiating this analysis through their report.”
The feature in Safari also disables login fingerprinting, which allows a website to invisibly detect where someone is logged in — and it works in any browser without full third-party cookie blocking, he said.
“Since ‘global browser state’ has been top of mind in the web privacy community as of late, we’d like to point out that cookies themselves are global-state, and unless the browser blocks or partitions them in third-party contexts, they allow for cross-site leakage of user information such as login fingerprinting,” Wilander explained.
Other benefits of full third-party cooking blocking include the disabling of cross-site request forgery (CSRF) attacks against websites through third-party requests, and the removal of the ability for someone to use an auxiliary third-party domain to identify users, he said.
Finally, the blocking features in Safari also should simplify things for developers who need cookie access as a third party, giving them the sole option of using the Storage Access API to do so, Wilander added.
Wilander outlined some other recommendations for developers in his post, as well encouraged them to test websites for compatibility with the new Safari features and report any bugs to Apple.
Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.