Apple announced that Safari is now fully blocking 3rd party cookies. This is a milestone that surpasses Chrome.
Intelligent Tracking Prevention
Apple calls it’s feature Intelligent Tracking Prevention. It blocks third party cookies while also allowing access to cross-site cookies for services and features that a user has opted into like payment preferences, subscriptions and commenting widgets.
This way a user can still take advantage of payment methods like PayPal while blocking third party cookies from advertising sites that the user does not want tracking them from site to site.
The way Safari accomplishes this is by using a technology it introduced in 2017 called Storage Access API. The storage access API allows a user to be logged into a social media site and take advantage of “liking” or commenting features, for example.
No Arbitrary Cookie Access
The Storage Access API will not allow random third parties to circumvent blocking. According to the W3C Privacy Community Group that is involved with developing the standards:
“The Storage Access API is not intended to grant arbitrary third-parties cookie access. It is only intended to grant cookie access to third parties that the user actively uses as first party too, i.e. websites the user recognizes and uses.
…the Storage Access API is not in conflict with single sign-on, cross-site subscription services, and federated logins.”
That means if you’re signed in to Facebook or PayPal, the services associated with those first party sites that the user has signed into will be able to perform as normal.
It’s only third party sites that the user has not opted into that will be blocked.
If the user is not signed in to the service, a pop up can be generated asking the user to sign in and accomplish whatever task they may have.
The announcement lists three key benefits:
- Disables cross-site request forgery attacks against websites through third-party requests.
- Removes the ability to use an auxiliary third-party domain to identify users. Such a setup could otherwise persist IDs even when users delete website data for the first party.
- Simplifies things for developers. Now it’s as easy as possible: If you need cookie access as third-party, use the Storage Access API.
Safari Beats Chrome for Privacy
Chrome browser is not scheduled to have full third party blocking until 2022, two years from now. Google has more at stake than Apple does with regard to third party blocking. Google’s earnings depend on third party cookies in order to facilitate behavioral advertising (aka creepy ads).
Presumably, what people call Google’s creepy ads won’t be able to follow a user from site to site with Safari’s third party cookie blocking which is turned on by default.
Will Safari Block Google Analytics?
Apple didn’t provide guidance specific to Google Analytics. However, because Google Analytics is a third party that users haven’t opted into as a first party, presumably Google Analytics cookies may be blocked. This is something that will need to be tested.
Read the full announcement here:
Full Third-Party Cookie Blocking and More