{"id":44141,"date":"2024-07-18T14:30:56","date_gmt":"2024-07-18T18:30:56","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=44141"},"modified":"2024-07-22T14:19:53","modified_gmt":"2024-07-22T18:19:53","slug":"safari-private-browsing-2-0","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2024\/07\/18\/safari-private-browsing-2-0\/","title":{"rendered":"Safari Private Browsing 2.0"},"content":{"rendered":"<p><a href=\"https:\/\/webkit.org\/blog\/15697\/private-browsing-2-0\/\">John Wilander et al.<\/a> (<a href=\"https:\/\/mastodon.social\/@wilander\/112797320892535400\">Mastodon<\/a>):<\/p>\n<blockquote cite=\"https:\/\/webkit.org\/blog\/15697\/private-browsing-2-0\/\">\n<p>These are the protections and defenses added to Private Browsing in Safari 17.0:<\/p>\n<ul>\n<li>Link Tracking Protection<\/li>\n<li>Blocking network loads of known trackers, including CNAME-cloaked known trackers<\/li>\n<li>Advanced Fingerprinting Protection<\/li>\n<li>Extensions with website or history access are off by default<\/li>\n<\/ul>\n<p>In addition, we added these protections and defenses in all browsing modes:<\/p>\n<ul>\n<li>Capped lifetime of cookies set in responses from cloaked third-party IP addresses<\/li>\n<li>Partitioned SessionStorage<\/li>\n<li>Partitioned blob URLs (starting in Safari 17.2)<\/li>\n<\/ul>\n<p>We also expanded Web AdAttributionKit (formerly Private Click Measurement) as a replacement for tracking parameters in URL to help developers understand the performance of their marketing campaigns even under Private Browsing.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/mastodon.social\/@iKyle\/112799514560685928\">Kyle Howells<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@iKyle\/112799514560685928\"><p>Seriously considering switching from Safari to Chrome or Firefox because EVERY TIME I visit most websites I&rsquo;m logged out.<\/p><p>Safari&rsquo;s stupidly over aggressive privacy policy of purging cookies after 7 days turns out to be quicker than I visit most sites.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/mastodon.social\/@lapcatsoftware\/112793347549913419\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@lapcatsoftware\/112793347549913419\">\n<p>I don&rsquo;t use 1password, but I signed up for a trial a few days ago to diagnose an issue. Just got this email. What an indictment of Safari!<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/mastodon.social\/@stroughtonsmith\/112799547782176825\">Steve Troughton-Smith<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@stroughtonsmith\/112799547782176825\"><p>I don&rsquo;t know if Safari has just fundamentally broken the web, or if sites are just detecting Safari and clearing their own cookies to get a tracking refresh. It&rsquo;s got worse and worse to browse with<\/p><\/blockquote>\n\n<p>I&rsquo;ve been seeing this logout problem with Safari for years, and it&rsquo;s gotten especially bad in the last few months.<\/p>\n\n<p><a href=\"https:\/\/mastodon.social\/@iKyle\/112805078932603933\">Kyle Howells<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@iKyle\/112805078932603933\">\n<p>I posted this complaint about Safari logging me out 24hrs ago.<\/p>\n<p>I just had to relogin in order to post this.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/mastodon.social\/@lapcatsoftware\/112657411902859850\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@lapcatsoftware\/112657411902859850\">\n<p>FWIW I almost never get logged out after this:<\/p>\n<pre>defaults write -g WebKitExperimentalIsFirstPartyWebsiteDataRemovalDisabled -bool true<\/pre>\n<p>Except for App Store Connect, which uses session cookies, which affects all web browsers.<\/p>\n<\/blockquote>\n<blockquote cite=\"https:\/\/mastodon.social\/@lapcatsoftware\/112657471927124206\"><p>It&rsquo;s in the Feature Flags now, Disable Removal of Non-Cookie Data After 7 Days of No User Interaction.<\/p><p>Safari may reset this on updates, but putting it in the global defaults makes it immune from reset.<\/p><\/blockquote>\n<p>This did not work for me, so I think there must be multiple issues here.<\/p>\n\n<p><a href=\"https:\/\/mastodon.social\/@danielpunkass\/112690660943027799\">Daniel Jalkut<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@danielpunkass\/112690660943027799\"><p>For the last few weeks Safari has become nearly impossible for me to use because it logs me out of EVERYTHING and forgets my state in web apps with cookie-based storage.<\/p><p>When I say it logs me out, I mean several times per day! Almost every time I return to a site, I have to log in again.<\/p><p>Googling suggests I&rsquo;m not alone, but it&rsquo;s far from a universal problem.<\/p><p>[&#8230;]<\/p><p>I&rsquo;ve been to hell and back investigating this, and let me just say for now that if you suffer from this problem, I think turning ON the &ldquo;Prevent cross-site tracking&rdquo; preference in Safari will alleviate it.<\/p><\/blockquote>\n<p>He seems to have found a bug where turning <em>off<\/em> the extra privacy&mdash;which I did long ago to try to make Safari compatible with more sites&mdash;triggers a bug where Safari inappropriately deletes saved data.<\/p>\n\n<p><a href=\"https:\/\/mastodon.social\/@lapcatsoftware\/112799094948252961\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@lapcatsoftware\/112799094948252961\">\n<p>&ldquo;Private Browsing uses Oblivious DNS over HTTPS by default, which encrypts and proxies DNS queries to protect the privacy and integrity of these lookups.&rdquo;<\/p>\n<p>I&rsquo;m not actually seeing this in my testing. Packet traces show DNS queries still occurring in the clear. Anyone else test this?<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/lapcatsoftware.com\/articles\/2024\/6\/5.html\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/lapcatsoftware.com\/articles\/2024\/6\/5.html\"><p>Advanced tracking and fingerprinting protection is in the Safari Advanced Settings on both iOS and macOS. The setting has three options: disabled, enabled in private browsing, or enabled in all browsing. Last year I wrote about <a href=\"https:\/\/lapcatsoftware.com\/articles\/2023\/10\/7.html\">why I disabled advanced tracking and fingerprinting protection in Safari<\/a>. This year I found another reason: it breaks my Safari extension <a href=\"https:\/\/underpassapp.com\/StopTheMadness\/\">StopTheMadness Pro<\/a>!<\/p><p>[&#8230;]<\/p><p>The way advanced tracking and fingerprinting protection appears to work is that if it blocks at least one third-party tracking script on a web page, then it also prevents every third-party script on the page from accessing the URL query string.<\/p><p>[&#8230;]<\/p><p>The problem with this &ldquo;protection&rdquo; is that it can break innocent third-party scripts. Even worse, Safari extension content scripts are treated as third party!<\/p><\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/07\/18\/safari-private-click-measurement-and-firefox-privacy-preserving-attribution\/\">Safari Private Click Measurement and Firefox Privacy-Preserving Attribution<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/07\/18\/safari-18-announced\/\">Safari 18 Announced<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/01\/10\/google-settles-incognito-lawsuit\/\">Google Settles Incognito Lawsuit<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2023\/06\/19\/safari-17-link-tracking-protection\/\">Safari 17 Link Tracking Protection<\/a><\/li>\n<\/ul>\n\n<p id=\"safari-private-browsing-2-0-update-2024-07-22\">Update (2024-07-22): <a href=\"https:\/\/mastodon.social\/@iKyle\/112810128201989554\">Kyle Howells<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@iKyle\/112810128201989554\"><p>The big problem with things like &ldquo;Advanced tracking and fingerprinting protection&rdquo; in Safari, is they are basically a fancy way of saying<\/p><p>&ldquo;We worked out how to break as much of the webpage as possible, without you actually noticing anything is wrong&rdquo;<\/p><p>Except they now disable, or break so many things that Safari is starting to just become a horrible unreliable web  browser to use.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/mastodon.social\/@iKyle\/112810235900210760\">Kyle Howells<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@iKyle\/112810235900210760\"><p>In the last few days I&rsquo;ve had to re-login to:<\/p><ul><li>Google 5 times<\/li><li>reddit 4 times<\/li><li>mastodon 4 times<\/li><li>YouTube 3 times<\/li><li>Github 3 times<\/li><\/ul><p>This can&rsquo;t just be the privacy measures, this has to be an actual bug.<\/p><p>Except I haven&rsquo;t installed a macOS update recently, so in theory nothing has changed?<\/p><\/blockquote>\n<p>This is the type of thing that I&rsquo;ve been seeing lately, though worse. Turning on <strong>Prevent cross-site tracking<\/strong> seems to have helped a bit but did not fix the problem. I&rsquo;m currently trying the <a href=\"https:\/\/mjtsai.com\/blog\/2024\/07\/18\/safari-private-browsing-2-0\/#comment-4129701\">voodoo<\/a> of disabling the <strong>Develop<\/strong> menu.<\/p>","protected":false},"excerpt":{"rendered":"<p>John Wilander et al. (Mastodon): These are the protections and defenses added to Private Browsing in Safari 17.0: Link Tracking Protection Blocking network loads of known trackers, including CNAME-cloaked known trackers Advanced Fingerprinting Protection Extensions with website or history access are off by default In addition, we added these protections and defenses in all browsing [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2024-07-18T18:31:01Z","apple_news_api_id":"465ec23e-4ee3-4d55-bedf-e8ae905989d7","apple_news_api_modified_at":"2024-07-22T18:19:58Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAg==","apple_news_api_share_url":"https:\/\/apple.news\/ARl7CPk7jTVW-3-iukFmJ1w","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[354,131,31,2321,30,2385,355,103,2246,1775],"class_list":["post-44141","post","type-post","status-publish","format-standard","hentry","category-technology","tag-advertising","tag-bug","tag-ios","tag-ios-17","tag-mac","tag-macos-14-sonoma","tag-privacy","tag-safari","tag-safari-extensions","tag-stop-the-madness"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/44141","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=44141"}],"version-history":[{"count":4,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/44141\/revisions"}],"predecessor-version":[{"id":44183,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/44141\/revisions\/44183"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=44141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=44141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=44141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}