
Full third-party cookie blocking and more - tbodt
https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/
======
pspeter3
I'm confused about if this means that IndexedDB will always wipe data after 7
days. That seems like it would prevent storage from being used for user data
in PWAs.

~~~
untog
> after seven days of Safari use _without user interaction on the site_

If it's a PWA that's regularly used you should be fine. But if not, yeah,
that's going to be very annoying.

~~~
cageface
If this is really about protecting users and not about kneecapping web apps
shouldn't Apple also wipe user data in native apps that haven't been used in a
week?

~~~
untog
Native apps don't really have the problem of third-party ad networks storing
data intermixed with app data in this way, though.

~~~
pspeter3
Why not though? It seems like third-party SDKs could be included by the
developer and stored on my local device.

~~~
cageface
Every iOS app I ever built for a client had Facebook's SDK and tracking
installed, at the client's request. Often Google's and Twitter's too and the
user has no awareness of this.

------
fomojola
The 7-Day Cap on All Script-Writeable Storage is troublesome: if I don't log
into a computer for a week 'cause I'm on vacation then you wipe my saved data?
I have local storage based utilities I've written that I sometimes don't touch
for weeks, but whenever I go back everything I put in there is STILL THERE.

Seems like a great way to drive less use of local browser storage options and
promote greater use of cloud storage solutions. Cynical me says "YAY iCloud".

~~~
om2
The day count is days of active browser use, not calendar days, so what you
describe is unlikely.

~~~
fomojola
Ah, that would be an improvement: just re-read the article and I can't find
any reference to "active use" vs "calendar". Can you point out where that is?

~~~
Flenser
I think om2 means this from the article:

"seven days of Safari use without user interaction on the site"

It's not immediately obvious the way it's phrased but they couldn't be
calendar days if there are days you don't use Safari; it's only counting a day
as one where Safari is used and you don't visit the site.

------
Animats
I've had third party cookies blocked for years in Firefox. It doesn't break
much.

~~~
distances
Exactly. I don't see why they should be allowed in the first place. I also
block first-party cookies and while that does break more sites, it's still
pretty manageable.

~~~
recursive
Do you use any sites which require any kind of authentication?

~~~
bradly
Firefox users can turn on privacy.firstparty.isolate which I believe will
scope third party cookies to the top level domain you are on. It is off by
default, but I've been using it for sometime without issue (except very
persistent re-captcha).

------
sebastien_bois
> Safari continues to pave the way for privacy on the web, this time as the
> first mainstream browser to fully block third-party cookies by default

Too bad Safari isn't my default browser anymore, ever since they essentially
killed it when they neutered extensions.

~~~
doctoboggan
I initially felt the same way, as I relied on ublock origin, but the loss of
that extension forced me to switch to pihole, which I think is an overall
better approach to ad blocking. It works for all devices on your network, so
you get ad blocking on devices that you normally wouldn't like your smart tv
and the apple news app.

~~~
kodablah
Being DNS based, pi-hole cannot block specific paths of otherwise-acceptable
domains nor can it do any cosmetic filtering. It is not necessarily a better
approach for web browsing.

------
js2
You know what I'd really like from Apple: a per-site option for disabling
JavaScript and another for blocking even first-party cookies.

~~~
scarface74
The number of people who care about blocking Javascript in 2020 is minuscule.

~~~
mikro2nd
Miniscule, and growing. That site that shouted at me that I'm filthy lowlife
scum for running an adblocker? Pphhht. JS disabled; nastiness averted.

~~~
SquareWheel
It wouldn't be that difficult to build a JS-free version of the same nag. If
global JS support somehow goes down, the nags will just adapt.

------
osrec
Rather than wiping indexed DB data after 7 days, could you not just make it an
opt in thing, like the camera or mic? For example, ask users "Allow myapp.com
to store app related data on your computer?". If they allow it, then give
access to indexed DB API. That way we can still have fully local PWAs.

------
danceparty
Still dreaming of a way to block cookies per-domain

Edit: someone just told me you can do it with osx adguard, in the user rules
you can set "||domain.com^$cookie" to block all cookies from domain.com

~~~
progval
You can do this with uMatrix.

------
tpush
I might be misremembering, but didn’t Safari block third-party cookies by
default before all this tracking protection stuff started?

~~~
bouke
I was thinking the same, and a image search revealed the old preferences
dialog for Safari: [https://www.howtoisolve.com/wp-
content/uploads/2014/12/Browe...](https://www.howtoisolve.com/wp-
content/uploads/2014/12/Brower-setting-for-Cookies.jpg). So yes; you could
block third-party cookies before ITP was introduced. So it seems like they're
now backtracking on ITP and just default to blocking third-party cookies by
default?

Although maybe ITP is still involved, as Google implemented workarounds to be
able to set third-party cookies regardless of this Safari setting, costing
Google $22.5M. [https://www.ftc.gov/news-events/press-
releases/2012/08/googl...](https://www.ftc.gov/news-events/press-
releases/2012/08/google-will-pay-225-million-settle-ftc-charges-it-
misrepresented)

------
etaioinshrdlu
Is there any legitimate reason Chrome doesn't follow suit other than they like
ad revenue? An answer from a Googler here would be great. And a real answer,
not corp-speak.

Blocking third party cookies seems like overall a good thing for security.
Security is good right?

Edit: 2 years is a long time to wait for a security improvement that is
literally flipping a switch.

~~~
jefftk
I'm a Googler who works in ads, speaking only for myself.

If Chrome blocked third party cookies today we'd see something between these
two outcomes:

a) Publishers lose about half their revenue because ads aren't personalized
anymore: [https://services.google.com/fh/files/misc/disabling_third-
pa...](https://services.google.com/fh/files/misc/disabling_third-
party_cookies_publisher_revenue.pdf)

b) Advertisers figure out how to keep personalizing ads through fingerprinting
(non-cookie tracking)

Since (b) is worse than the status quo (users can't reset their fingerprint) I
think "a security improvement that is literally flipping a switch" doesn't
fit.

Chrome's approach (as described in
[https://blog.chromium.org/2020/01/building-more-private-
web-...](https://blog.chromium.org/2020/01/building-more-private-web-path-
towards.html)) is:

* Block fingerprinting

* Figure out how to let advertisers personalize in privacy preserving ways ([https://www.chromium.org/Home/chromium-privacy/privacy-sandb...](https://www.chromium.org/Home/chromium-privacy/privacy-sandbox) primarily FLoC and TURTLE-DOV)

* Then remove cookies

I'm skeptical about the approach, since I think blocking fingerprinting and
server-side correlation of requests is very difficult, but I think the people
working on this are very good and have thought a lot more about it than I
have.

~~~
driverdan
In other words the Chrome team doesn't care about users, it cares about ads.
If it put users first, as it should, third party cookies would have been
blocked a long time ago and they would be working on blocking other
fingerprinting techniques now.

This is a great reason to not use Chrome.

~~~
jefftk
Users don't care about ads, but users care about the things that ads fund. If
publishers go out of business, users will be worse off.

Do you think the browsers should block all ads by default?

~~~
HugoDaniel
Yes.

(i am a user; i don't presume to know what is best for others; speaking as a
user that talks to others like me; i don't need to speak about 'users' as a
third party entity; i am a significant sample of the set)

~~~
vntok
Are you ready to pay every website you visit, then? With actual money that you
yourself own?

~~~
HugoDaniel
As if ads is the only possible business model on the web.

At best the ad revenue is taking money away from other web business models by
instituting that kind of mentality that drives people away from donations and
paid accounts.

Please, consider a paid account/membership when you read the guardian, the
intercept, or look for the donation page of quality content articles in
wikipedia or any of the loads of blogs written by authors with patreon
accounts.

~~~
vntok
Yeah, people will not collect subscriptions to content publishers like they
collect emojis on their phones.

Estimate how many websites you visit each month; people would need dozens of
monthly subscriptions if such a system was set up.

Instead, they will rather go to and pay google news, facebook press or apple
information to get all their news content. Where would money be taken away
then? Content publishers.

------
ganzuul
The list of addons I consider essential for privacy just keeps growing. Here
is another great addition: [https://github.com/Cookie-AutoDelete/Cookie-
AutoDelete](https://github.com/Cookie-AutoDelete/Cookie-AutoDelete)

Does what it says on the tin.

~~~
cies
What's more on yr list?

------
franciscop
> this time as the first mainstream browser to fully block third-party cookies
> by default

Third party cookies have been blocked in Firefox since September 3rd (2019)
[1]. They mention Brave in the article, so surely Firefox being large than
Brave should be included in "Major browsers", but not a single mention was
made in the article. It really reminds me of the meme "what do you mean you've
seen it?".

[1] [https://blog.mozilla.org/blog/2019/09/03/todays-firefox-
bloc...](https://blog.mozilla.org/blog/2019/09/03/todays-firefox-blocks-third-
party-tracking-cookies-and-cryptomining-by-default/)

~~~
detaro
Blocking cookies from a blocklist of "trackers" as your link clearly describes
is not the same as disabling them completely.

------
kyleee
Are there efforts to cloak third party cookies via the first party domain?

~~~
bouk
The point of third party cookies is cross-site tracking, which doesn't work
with a first party domain.

~~~
speleding
There are perfectly valid use cases for third party cookies that do not
involve tracking. Our business offers an appointment scheduling widget, it
needs cookies for user sessions, and those cookies are third party because the
widget is commonly included on a web page inside an iframe. That widget now
breaks in the new safari preview.

------
techslave
meh. i mean ok yes this does kill the tracking (although i can imagine how to
be more devious) but i already _very_ easily do this with ghostery.

i suppose it’s great for the 90% of “default settings” users.

because a solution (many) is already available for tracker blocking , i’d
rather see effective html5 video and popup blocking. is that infeasible?

------
skrowl
Soooo... like Firefox has done be default since June 2019 then
[https://blog.mozilla.org/blog/2019/09/03/todays-firefox-
bloc...](https://blog.mozilla.org/blog/2019/09/03/todays-firefox-blocks-third-
party-tracking-cookies-and-cryptomining-by-default/) ?

I guess later is better than never, but this seems like something they could
have done long ago.

~~~
detaro
The blog post you reference clearly describes a limited blocklist. As the
submission says, no other mainstream browser has blocked _all_ third-party
cookies yet.

------
quotemstr
So much for the advertisement-powered web. Congratulations, privacy people:
you win. I hope the new web is everything you hoped. If it isn't, you have
only yourselves to blame. Enjoy the paywalls.

~~~
function_seven
"So much for the _tracking_ -advertisement-powered web"

I'm looking forward to it. Seriously. I know you're intending to be facetious
with this, but everything you listed sounds good to me. Either charge for your
service, or include ads that don't follow me around the Internet.

Somehow advertising worked on radio, on TV, and in print without correlating
data about each viewer with all their other habits. I see no reason why that
can't be the same online.

~~~
lonelappde
Do you want 7 minutes of ads for every 23minutes of web browsing, like TV?

Did you not notice that print is dead?

~~~
function_seven
No. That’s why I pay for Hulu and Netflix, and DVR other content.

Print as a medium may be dead, but journalism is still here. And it’s possible
to provide without invasive tracking, just like it has been for centuries. The
transition from ink to pixels doesn’t rely on analytics to succeed.

~~~
_eht
You reckon Hulu, Netflix, et al, are just sitting on all the user data you are
giving them, totally respecting it... definitly not monetizing from it? When
was the last time you read T&C?

~~~
Nextgrid
It's one thing where a business is using data you provide them to make better
decisions, just like a store would use sales numbers to decide how much of an
item they should stock up.

The problem here is when data is collected by third-parties I do not know, do
not trust, and do not need. They collect data for _their_ benefit without
providing me anything of value, only ads aka spam.

Online ads are also nothing like print or TV ads. The latter has a barrier to
entry and some minimum criteria they must meet like the laws on what's allowed
to be broadcasted and they are at the discretion of the publisher. This makes
it less likely that a scam or malware would be promoted for example. Online?
It's the Wild West, anyone can advertise anything (fake tech support numbers
for example) for a few hundred bucks and targeting means they can make sure
only the people most likely to fall for the scam would see the ad, while
flying under the radar of anyone savvy enough to recognise it as a scam and
report it.

