Thursday, July 18, 2024

Safari Private Browsing 2.0

John Wilander et al. (Mastodon):

These are the protections and defenses added to Private Browsing in Safari 17.0:

  • Link Tracking Protection
  • Blocking network loads of known trackers, including CNAME-cloaked known trackers
  • Advanced Fingerprinting Protection
  • Extensions with website or history access are off by default

In addition, we added these protections and defenses in all browsing modes:

  • Capped lifetime of cookies set in responses from cloaked third-party IP addresses
  • Partitioned SessionStorage
  • Partitioned blob URLs (starting in Safari 17.2)

We also expanded Web AdAttributionKit (formerly Private Click Measurement) as a replacement for tracking parameters in URL to help developers understand the performance of their marketing campaigns even under Private Browsing.

Kyle Howells:

Seriously considering switching from Safari to Chrome or Firefox because EVERY TIME I visit most websites I’m logged out.

Safari’s stupidly over aggressive privacy policy of purging cookies after 7 days turns out to be quicker than I visit most sites.

Jeff Johnson:

I don’t use 1password, but I signed up for a trial a few days ago to diagnose an issue. Just got this email. What an indictment of Safari!

Steve Troughton-Smith:

I don’t know if Safari has just fundamentally broken the web, or if sites are just detecting Safari and clearing their own cookies to get a tracking refresh. It’s got worse and worse to browse with

I’ve been seeing this logout problem with Safari for years, and it’s gotten especially bad in the last few months.

Kyle Howells:

I posted this complaint about Safari logging me out 24hrs ago.

I just had to relogin in order to post this.

Jeff Johnson:

FWIW I almost never get logged out after this:

defaults write -g WebKitExperimentalIsFirstPartyWebsiteDataRemovalDisabled -bool true

Except for App Store Connect, which uses session cookies, which affects all web browsers.

It’s in the Feature Flags now, Disable Removal of Non-Cookie Data After 7 Days of No User Interaction.

Safari may reset this on updates, but putting it in the global defaults makes it immune from reset.

This did not work for me, so I think there must be multiple issues here.

Daniel Jalkut:

For the last few weeks Safari has become nearly impossible for me to use because it logs me out of EVERYTHING and forgets my state in web apps with cookie-based storage.

When I say it logs me out, I mean several times per day! Almost every time I return to a site, I have to log in again.

Googling suggests I’m not alone, but it’s far from a universal problem.

[…]

I’ve been to hell and back investigating this, and let me just say for now that if you suffer from this problem, I think turning ON the “Prevent cross-site tracking” preference in Safari will alleviate it.

He seems to have found a bug where turning off the extra privacy—which I did long ago to try to make Safari compatible with more sites—triggers a bug where Safari inappropriately deletes saved data.

Jeff Johnson:

“Private Browsing uses Oblivious DNS over HTTPS by default, which encrypts and proxies DNS queries to protect the privacy and integrity of these lookups.”

I’m not actually seeing this in my testing. Packet traces show DNS queries still occurring in the clear. Anyone else test this?

Jeff Johnson:

Advanced tracking and fingerprinting protection is in the Safari Advanced Settings on both iOS and macOS. The setting has three options: disabled, enabled in private browsing, or enabled in all browsing. Last year I wrote about why I disabled advanced tracking and fingerprinting protection in Safari. This year I found another reason: it breaks my Safari extension StopTheMadness Pro!

[…]

The way advanced tracking and fingerprinting protection appears to work is that if it blocks at least one third-party tracking script on a web page, then it also prevents every third-party script on the page from accessing the URL query string.

[…]

The problem with this “protection” is that it can break innocent third-party scripts. Even worse, Safari extension content scripts are treated as third party!

Previously:

Update (2024-07-22): Kyle Howells:

The big problem with things like “Advanced tracking and fingerprinting protection” in Safari, is they are basically a fancy way of saying

“We worked out how to break as much of the webpage as possible, without you actually noticing anything is wrong”

Except they now disable, or break so many things that Safari is starting to just become a horrible unreliable web browser to use.

Kyle Howells:

In the last few days I’ve had to re-login to:

  • Google 5 times
  • reddit 4 times
  • mastodon 4 times
  • YouTube 3 times
  • Github 3 times

This can’t just be the privacy measures, this has to be an actual bug.

Except I haven’t installed a macOS update recently, so in theory nothing has changed?

This is the type of thing that I’ve been seeing lately, though worse. Turning on Prevent cross-site tracking seems to have helped a bit but did not fix the problem. I’m currently trying the voodoo of disabling the Develop menu.

7 Comments RSS · Twitter · Mastodon


I constantly had the logout problem in Safari until I just completely disabled the developer menu and started using Safari Technology Preview for anything that needs developer tools. That solved the problem for me.


Beatrix Willius

Weird, I never get logged out in Safari.

The problem for me is that older versions of Safari can't be updated. Nowadays for many websites Safari from Bug Sir isn't good enough.

Why would I trust Safari to store a secret key? This is the job of an app and not Safari's.


That sounds like the typical type of problem Safari would have. Although I, personally, never get logged out. I wonder what I’m doing differently. To my knowledge, I haven’t changed settings that would affect it.


You can add me to the list of folks that suffer from the logout bug. I've switched to Chrome for all browsing that requires me to be logged in to a site.


I was also affected by the bug. I gave up logging in to any affected website for the entirety of June. Now my GitHub session has persisted for more than 2 weeks already, so I'm hoping it's somehow fixed? I think it all began with Safari 17.4, but I can confirm the fix wasn't tied to 17.5.

Sadly, I strongly suspect it's tied to the 1Password extension — it's one of the few remaining points in common, and it was confirmed to cause most (but not all) of my "This webpage was reloaded because a problem occurred" errors for merely clicking links that open in new tabs.


Hey Michael, did the "Disable Removal of Non-Cookie Data After 7 Days of No User Interaction (ITP)" option as mentioned in https://mjtsai.com/blog/2023/01/13/20-years-of-safari/#comment-3870544 never worked, or stopped working at some point?


@Alexandre That’s the WebKitExperimentalIsFirstPartyWebsiteDataRemovalDisabled setting mentioned above. It may have helped last year—I’m not entirely sure—but it definitely doesn’t fix the current problems for me.

Leave a Comment