iOS 12.2 and Safari 12.1 for macOS Include Updated Intelligent Tracking Prevention Feature
Safari in the iOS 12.2 beta and Safari 12.1 for macOS High Sierra and Mojave includes an updated version of Intelligent Tracking Prevention, according to details shared on Apple's WebKit blog.
ITP 2.1, as Apple is calling it, caps client-side cookie storage to seven days. After this time period, cookies expire. As outlined by Apple, this offers improvements in privacy, security, and performance. From Apple's WebKit blog:
- Cross-site trackers have started using first-party sites' own cookie jars for the purpose of persistent tracking. The first-party storage space is especially troublesome for privacy since all tracker scripts in the first-party context can read and write each other's data. Say social.example writes a user tracking ID as a news.example first-party cookie. Now analytics.example, adnetwork.example, and video.example can leverage or cross pollinate that user tracking ID through their scripts on news.example.
- Cookies available in document.cookie can be stolen by speculative execution attacks on memory. Therefore, they should not carry sensitive information such as credentials.
- Cookies available in document.cookie can be stolen by cross-site scripting attacks. Again, therefore, they should not carry sensitive information such as credentials.
- The proliferation of cookies slows down page and resource loads since cookies are added to every applicable HTTP request. Additionally, many cookies have high entropy values which means they cannot be compressed efficiently. We come across sites with kilobytes of cookies sent in every resource request.
- There is a size limit on outgoing cookie headers for performance reasons, and websites risk hitting this limit when cross-site trackers add first-party cookies. We've investigated reports of news site subscribers getting spuriously logged out, and found that trackers were adding so many cookies that the news site's legitimate login cookie got pushed out.
The cookie storage limits will not log users out as long as websites are using the appropriate authentication cookies because it only affects cookies created through document.cookie.
ITP 2.1 also allows for just a single set of cookies per site rather than multiples, and third party tools with cross-site tracking capabilities need to use the Storage Access API to get cookie access.
Apple says this change simplifies cookie behavior for developers, lowers the memory footprint of Safari, and makes Intelligent Tracking Prevention compatible with more platforms.
A verified partitioned cache for cutting down on cache abuse for tracking purposes is also included, and as we covered earlier this month, support for Do Not Track has been disabled.
Apple says that it is removing Do Not Track because most websites never paid any attention to it since it was opt-in and could be ignored.
The DNT project recently ended without the publication of a standard, in part "because there has not been sufficient deployment of these extensions (as defined) to justify further advancement." Given the lack of deployment of DNT and Safari's on by default privacy protections such as ITP, Safari removed support for DNT so that users are not presented with a misleading and ineffective privacy control that, if anything, only offered additional browser fingerprinting entropy.
Additional details on the Intelligent Tracking Prevention updates being introduced are available via Apple's full WebKit blog post.