In May of 2019, a Google blog post encouraged all web browsers to adopt the approach of blocking third-party cookies by default. Google announced their own plans to do so, outlining a development strategy that would see Chrome and all Chromium-based browsers defaulting to that by 2022.

The TOR browser was the first to make the switch, and now, Apple’s Safari browser is the second with the release of Safari 13.1.

Although the change has raised a few eyebrows in the user community, in general, privacy groups and security analysists regard it as the right move.

As Apple software engineer John Wilander explains:

This update takes several important steps to fight cross-site tracking and makes it more safe to browse the web.

First of all, it paves the way. We will report on our experiences of full third-party cookie blocking to the privacy groups in W3C to help other browsers take the leap. 

Second, full third-party cookie blocking removes the statefulness in cookie blocking.

Third, full third-party cookie blocking fully disables login fingerprinting, a problem on the web described already 12 years ago. Without protection, trackers can figure out which websites you’re logged in to and use it as a fingerprint. 

Fourth, full third-party cookie blocking solves cross-site request forgeries. This is one of the web’s original security vulnerabilities and discussed in communities like OWASP for well over a decade. Those vulnerabilities are now gone in Safari.”

All true, and if third-party cookies is something you’ve been concerned about, be sure to download Safari 13.1 today. Chrome users, sorry, but you’ll have to wait. While Google is still forging ahead with their plans to block third-party cookies by default, they are quite some distance from actually rolling anything out to end users.

Leave a Reply

Your email address will not be published.

You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*