What you need to know
- Yesterday, Apple released iOS 13.4 to the public.
- It brought with it new security and privacy features for Safari on both iOS and Mac.
- Apple now blocks all third-party cookies by default.
Apple released iOS 13.4 to the public yesterday, and with it a swathe of new privacy and security features to better protect the privacy of its users whilst browsing.
The new release comes with several improvements to Apple's Intelligent Tracking Prevention features and also Safari on macOS. Apple's John Wilander described the changes in a blog post:
Cookies for cross-site resources are now blocked by default across the board. This is a significant improvement for privacy since it removes any sense of exceptions or "a little bit of cross-site tracking is allowed."
It might seem like a bigger change than it is. But we've added so many restrictions to ITP since its initial release in 2017 that we are now at a place where most third-party cookies are already blocked in Safari. To keep supporting cross-site integration, we shipped the Storage Access API two years ago to provide the means for authenticated embeds to get cookie access with mandatory user control. It is going through the standards process in the W3C Privacy Community Group right now.
In a tweeted summary of the changes Wilander said:
This update takes several important steps to fight cross-site tracking and make it more safe to browse the web. First of all, it paves the way. We will report on our experiences of full third-party cookie blocking to the privacy groups in W3C to help other browsers take the leap... Second, full third-party cookie blocking removes statefulness in cookie blocking. There were many who raised concerns over ITP's future back in January. Hopefully, they'll now help spread the message that ITP is not only OK, it's leading the way.
Full third-party cookie blocking also full disables login fingerprinting, which would be used to track which websites you're logged into and use it as a fingerprint. Wilander says Apple's new updates have also solved "cross-site request forgeries" and that all script-writeable storage will now expire after seven days as client-side cookies do.