Friday, February 22, 2019

Intelligent Tracking Prevention 2.1

Apple (Hacker News, MacRumors):

As of ITP 2.1, partitioned cookies are no longer supported and third-parties classified with cross-site tracking capabilities now have to use the Storage Access API to get any cookie access.


Cookies can either be set in HTTP responses or through the document.cookie API, the latter sometimes referred to as client-side cookies. With ITP 2.1, all persistent client-side cookies, i.e. persistent cookies created through document.cookie, are capped to a seven day expiry.


WebKit implemented partitioned caches more than five years ago. A partitioned cache means cache entries for third-party resources are double-keyed to their origin and the first-party eTLD+1. This prohibits cross-site trackers from using the cache to track users. Even so, our research has shown that trackers, in order to keep their practices alive under ITP, have resorted to partitioned cache abuse. Therefore, we have developed the verified partitioned cache.

This all sounds good, but in practice ITP seems to get in the way of sites that I do want to remember me. There are some that I visit just once or twice a month (e.g. to pay a bill) that now treat my Mac as a brand new device (requiring extra authentication via security questions or SMS) every single time. As far as I know, there is no way to tell Safari to trust a particular site and always remember its cookies. So it’s either put up with a worse user experience or use a different browser.

Previously: Apple Is Removing “Do Not Track” From Safari.

5 Comments RSS · Twitter

Actually none of this really sounds good compared to using GasMask + hostfile on my Mac in combination with AdGuard-macOS, or using AdGuard Pro on iOS and using their “privacy module” to load the same hostfile I use on the Mac side.

Of course AdGuard has whitelisting, and of course it’s really easy to whitelist for banking sites and services that you have paid for. And of course Apple discourages them in the iOS App Store.

Maybe one day Apple will get rid of their NIH attitude. Until then we kinda have to suffer while they get user security and privacy wrong.

I've been using the Cookie 5 app from SweetP Productions from the App Store. Great tool to clear cookies, caches, local and flash databases and other unwanted data (with white lists) across all browsers. Auto launch at boot and deletes cookies upon quitting the browser or on a timer.

I'd recommend using Fluidapp as a way to create a site-specific browsing experience for sites that either have a long term relationship with or that you'd prefer to be partitioned off from the rest of your browsing experience. I find this particularly useful for my credit nion, which uses third-party sites for check cashing and a few other services. These sites "just work" and I know that the browsing experience is walled off from anything else I do. I also find it useful for Fastmail and Facebook, because it gives them their own Dock icon and, again, walls them off from the rest of my browsing.

It's amplified on this side of the pond: two do-gooders, ITP and GDPR, collide spectacularly, so you're not only flooded with cookie banners and fullscreen acceptance notices, but half the sites forget your acceptance right away… Took me a while to realize this is partly Safari's fault.

It's a minor pain I'm happy to live with for the benefit. As for banks, password and Security Code AutoFill make online banking pretty simple.

Leave a Comment