Naked Security Naked Security

Apple Safari now blocks all third-party cookies by default

Starting in 13.1, advertisers and analytics firms can't track us through browser cookies. Apple says this also kills login fingerprinting.

“The long wait is over,” Apple WebKit engineer John Wilander announced on Tuesday: the latest update to the Safari browser is blocking third-party cookies by default for all users.
Safari 13.1 was released on Tuesday, bringing full cookie blocking and other updates to Apple’s Intelligent Tracking Prevention (ITP) privacy feature. What it means: online advertisers and analytics firms will no longer be able to use our browser cookies to follow us around like bloodhounds as we wander from site to site, tracking and mapping our interests and behavior for whatever profit-motivated, privacy-wrecking purposes they might have.
Is this is a big deal? Not really, Wilander said in a post on the WebKit team’s blog, given that previous work has meant that most cookies are already blocked:

It might seem like a bigger change than it is.
But we’ve added so many restrictions to ITP since its initial release in 2017 that we are now at a place where most third-party cookies are already blocked in Safari.

Safari thus joins other browsers that either plan to or are already blocking third-party tracking cookies by default, including the Tor browser. Mozilla rolled out the privacy enhancement in September 2019, announcing that Firefox would block both tracking cookies and cryptomining by default.


Brave also blocks most third-party cookies, though it makes exceptions for a few popular third-party embedded sites. In January 2020, Google announced that it would gradually kill third-party cookies in Chrome over the course of two years.
But while it might appear that Apple beat Google to the third-party cookie kill fest, Google actually gets the credit for pushing browsers down the no-tracking path. In a May 2019 post, Google said that it planned to update Chrome to provide users with more transparency about how sites use cookies and would require developers to explicitly specify which cookies are allowed to work across websites and which could thus be used to track users.
But there are other ways to track us beyond cookies, as Google’s post explained, referring to browser fingerprints: a way to track users that doesn’t rely on cookies but instead gets identifying information from your browser that marks you as unique, such as what fonts are installed, what HTTP headers your browser sends, your screen size and your timezone. Naked Security’s Mark Stockley has called it “the cookie you can’t delete” and says it’s an extremely accurate way to identify your browser:

That collection of information varies so much from one browser to the next that it’s enough to tell any two browsers apart with startling accuracy.

In the announcement about third-party cookie blocking on Tuesday, Wilander said that the privacy enhancement will disable browser login fingerprinting: a technique that allows a website to invisibly detect where you’re logged in and which is viable in any browser without full third-party cookie blocking.

Since ‘global browser state’ has been top of mind in the web privacy community as of late, we’d like to point out that cookies themselves are global state and unless the browser blocks or partitions them in third-party contexts, they allow for cross-site leakage of user information such as login fingerprinting.

Wilander listed these other benefits of third-party cookie blocking:

  • Disables cross-site request forgery (CSRF) attacks against websites through third-party requests. [An example: Facebook suffered from a CSRF bypass flaw, which could have let attackers hijack accounts, in February 2019.] Apple notes that developers still need to protect against forged requests that come in through top frame navigations and pointed them to its materials on SameSite cookies for guidance.
  • Removes the ability to use an auxiliary third-party domain to identify users. Such a setup could otherwise persist IDs even when users delete website data for the first party.
  • Simplifies things for developers. Wilander says it’s now “as easy as possible: If you need cookie access as third-party, use the Storage Access API.”

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.