Out on Safari: Apple touts third-party cookie blocking in WebKit browser engine

Web developers that legitimately need cookie access as third parties are advised to use the Storage Access API as an alternative. Script-writable storage ...
Out on Safari: Apple touts third-party cookie blocking in WebKit browser engine

Apple has made further privacy improvements to the WebKit browser engine

The latest version of Apple’s Safari web browser offers enhanced and security measures through full third-party cookie blocking.

Safari 13.1, available on iOS and macOS, includes a new feature that blocks cookies for cross-site resources by default – a tightening of in the WebKit browser engine.

The move bolsters privacy since it disables login fingerprinting, a technique that means a website can, for example, use images to determine if a user is logged in to a particular service.

It also improves security by offering enhanced protection against (CSRF), a common class of web security flaw.

John Wilander, an Apple WebKit engineer behind Safari’s Intelligent Tracking Prevention technology, stated in a that full third-party cookie blocking “disables cross-site request forgery attacks against websites through third-party requests”.

Other security experts, such as Google’s , reckoned that the development, while nonetheless welcome, only prevents some – rather than all – classes of CSRF attacks.

Wilander, for his part, disputes these criticisms.

Top-level CSRF attacks would not be protected by the new WebKit feature. This is where sub resources aren’t used and, for example, a form post is executed in the main navigation and not in an iFrame.

Both Wilander and Ormandy agreed on this point during a on the topic on Twitter.

Web developers that legitimately need cookie access as third parties are advised to use the Storage Access API as an alternative.

’s latest update also means that the Intelligent Tracking Prevention technology built into the WebKit browser engine will purge all of a website’s script-writable storage after seven days of user inactivity on that site.

The inactivity deletion feature affects content including IndexedDB, LocalStorage, and Service Worker registrations.

At least some developers have that the time limit will damage the appeal and utility of offline web applications.

In addition, the move to block third-party cookies results in all cross-site document referrers being downgraded to their origin.

“This matches the already downgraded cross-site referrer request headers,” Wilander explained.

By downgrading the referrer to origin, this effectively removes the path of the URL and is therefore better for privacy.

Wilander concluded by encouraging developers to test their websites for compatibility with the release.

The latest update of Apple’s flagship browser also patches various security issues in Safari and Webkit.

include patches for five separate memory corruption issues in WebKit that can each result in code execution along with a fix for a input validation issue that creates an cross site scripting risk in unpatched browsers.



source https://portswigger.net/daily-swig/out-on-safari-apple-touts-third-party-cookie-blocking-in-webkit-browser-engine

Post a Comment

0 Comments