Safari Now Prevents Tracking Prevention Tracking

In a blog post called “Preventing Tracking Prevention Tracking” WebKit’s John Wilander explained a new Safari capability.

Intelligent Tracking Prevention

This update to Safari arrived with iOS 13.3, iPadOS 13.3, and Safari 13.0.3 on macOS Catalina, Mojave, and High Sierra. Features like tracking prevention and content blocking can themselves be abused for tracking purposes. But three new enhancements make it hard or impossible to detect which web content and website data is capable of tracking.

Origin-Only Referrer For All Third-Party Requests

ITP limits referrer headers to a web page’s origin, which was previously only done for cross-site requests to classified domains.

As an example, a request to https://images.example that would previously contain the referrer header “https://store.example/baby/strollers/deluxe-stroller-navy-blue.html” will now be reduced to just “https://store.example/”.

All Third-Party Cookies Blocked Without Prior User Interaction

ITP now blocks all third-party requests from seeing their cookies unless the first-party website has already had some type of user interaction. I’m not sure how they define “interaction” but I assume this means that third-party cookies will be blocked if you’re just casually reading an article or looking at a web page.

There are a couple of other updates but aimed more towards developers. The first is that Safari’s Storage Access API takes the browser’s cookie policy into consideration when handling calls to document.hasStorageAccess(). The second update is that the absence of cookies in a third-party request doesn’t reveal the status of ITP.

Interestingly, Mr. Wilander ends the blog post by thanking Google:

We’d like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection. Their responsible disclosure practice allowed us to design and test the changes detailed above. Full credit will be given in upcoming security release notes.

Further Reading:

[iOS 13.3: How to Set Screen Time Communication Limits]

[Mac Pro’s Different Pricing Options]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.