Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Safari Blocks Third-Party Cookies by Default

Safari Blocks Third-Party Cookies by Default

This item in japanese

Safari joins privacy-focused web browsers like Tor and Brave in blocking third-party cookies by default in a move aimed at taking a step forward in web privacy. Google, which announced moving in that direction in May 2019, will not support third-party cookie blocking by default for all Chrome users until 2022. Third-party cookie blocking by default may disable login fingerprinting, and some cross-site request forgery attacks.

Safari recently announced blocking cookies for cross-site resources by default. The move comes after gradually increasing cookie restrictions which started with the introduction of Safari’s Intelligent Tracking Prevention (ITP) in 2017 (now in version 2.3). Safari describes the changes as improving privacy for users:

Cookies for cross-site resources are now blocked by default across the board. This is a significant improvement for privacy since it removes any sense of exceptions or “a little bit of cross-site tracking is allowed.”

Alongside the existing privacy features of Mozilla’s Firefox, which also blocks known third-party cookies by default since last year, Apple has continuously updated ITP and further restricted the conditions of usage of first-party and third-party cookies. ITP reduced over the years the time limit on persistent client-side cookies to 24 hours from over a year. ITP additionally blocked some, but not all, third-party cookies by default on both desktop and mobile platforms. Safari 13.1 will now block all third-party cookies by default for all users.

John Wilander, software engineer at Apple, mentioned in the blog a few advantages related to the default third-party cookies blocking. Third-party cookies blocking by default would disable login fingerprinting, a problem already described 12 years ago. Without protection, trackers can identify which websites a browsing user is logged into and use the information as a fingerprint. The cookies blocking would also disable cross-site request forgeries, another one of the web’s original security vulnerabilities.

To keep supporting cross-site integration, Apple promotes the Storage Access API and the use of OAuth 2.0 Authorization. Wilander explained:

Here’s how you can make things work for your users:

Option 1: OAuth 2.0 Authorization with which the authenticating domain (in your case, the third-party that expects cookies) forwards an authorization token to your website which you consume and use to establish a first-party login session with a server-set Secure and HttpOnly cookie.

Option 2: The Storage Access API with which the third-party can request permission to get access to its first-party cookies.

The full blog note contains additional details on some other technical elements of the ITP update and third-party cookies blocking.

Google shipped Chrome 80 with some support for third-party cookie blocking (under the name of SameSite cookies). However, full support is not expected for all Chrome users until 2022. The New York Times in a recent article hinted at possible reasons behind the timeline:

[T]he American Association of Advertising Agencies and the Association of National Advertisers quickly complained in an open letter that removing cookies could “choke off the economic oxygen from advertising that start-ups and emerging companies need to survive.”

The introduction of ITP in 2017 also led to angry reactions from some advertising and marketing organizations. Concerns exist still now over the impact of restricting cookies on commonly-used tools like Google Analytics.

Firefox announced blocking a list of known third-party cookies by default for all users in Firefox 69 in September 2019 with its Enhanced Tracking Protection feature. Microsoft’s Chromium-based Edge has also begun gradually blocking third-party cookies but the feature is not enabled by default for all its users. Four other privacy-focused browsers (Tor, Brave, Epic, and Min) are also blocking third-party cookies by default.

First-party cookies, created by the domain a user is visiting, help provide a better user experience: keep the session open, store relevant information – status of shopping carts, usernames and passwords, and more. Third-party cookies are cookies created by domains other than the domain a user is visiting. A few common third-party cookies include retargeting cookies, social media buttons, and chat popups.

While first-party cookies are set by the publisher’s web server or loaded JavaScript on the site and are only accessible via the site domain, third-party cookies are set by a third-party server by specific code, and are accessible on any website loading the third-party server’s code. Users can block or delete first-party cookies through their browser settings. Browsers are increasingly restricting or outright blocking on default the creation of third-party cookies.

Rate this Article