Apple’s WebKit blog shares the latest advances in Intelligent Tracking Prevention Technology (ITP)

Editor’s note: This article comes from WeChat public account “InfoQ” (ID: infoqchina) , author: ash.

Apple WebKit blog shares the latest developments in Intelligent Tracking Prevention Technology (ITP): completely block third-party cookies, clear local storage in seven days, and simplify developer work. But some developers sang the anti-consideration, feeling that Apple just talked about it, but it was actually for business reasons. Why?

Apple completely bans third-party cookies

On March 24th, the Apple WebKit blog published an article entitled “Full Third-Party Cookie Blocking and More”, officially announcing that it started to completely block third-party cookies by default. Apple said, “This is a major improvement in privacy, as it eliminates any anomalies or allows for a little cross-site tracking.”

This update involves iOS, iPad OS 13.4, and Safari 13.1 on macOS. This technology, called Intelligent Tracking Prevention (ITP), was first released in 2017, and it has evolved from a ban on most third-party cookies at the time. Third party cookies are completely prohibited.

It is understood that Safari is the first mainstream browser on the market to completely ban third-party cookies by default. Except Safari, only the Tor browser is the default setting, which has a small market share. Coincidentally, Chrome, the absolute dominant player in the browser market, also announced in January this year that third-party cookies will be phased out in the next 2 years.

Apple completely blocks third-party cookies and clears local storage in seven days < / p>

Global browser market share in February

Apple completely blocks third-party cookies and clears local storage in seven days

Top 10 browser models

Apple says it will share its experience with the W3C privacy team to help other browsers make the leap.

What are the benefits of complete blocking?

WebKit shares the benefits of completely blocking third-party cookies in a blog, specifically in the following areas.

  • Removed statefulness in Cookie Blocking;

  • Making cross-site leakage of user information (such as login fingerprints) no longer feasible;

  • Disable cross-site forgery attacks on websites through third-party requests;

  • Remove the ability to identify users using secondary third-party domains. Otherwise, such settings may retain the ID even if the user deletes the first-party website data;

  • Simplified developer work, if cookies are required, Apple recommends using the Storage Access API.

    Given that most third-party scripts have been moved to a first-party storage method similar to LocalStorage, Apple also announced that all script-writable storage is retained for only 7 days, and data stored locally after 7 days will be automatically deleted. Affected storage formats include Indexed DB, LocalStorage, Media keys, SessionStorage, and Service Worker registrations.

    Developers can resolve the inconvenience of this agreement during the transition period based on OAuth 2.0 authorization, Storage Access API, or temporary compatibility fixes.

    Apple’s blog post states that global browser status has become a key part of the privacy protection of the Web community. Since the EU ’s strictest data protection regulation, the GDPR, came into effect in 2018, major manufacturers have swallowed huge fines under the hammer of privacy protection: Google was fined 50 million euros, and major companies such as British Airways and Marriott also suffered data Leaks were fined at the level of tens of millions.

    Third-party cookies have become the hardest hit area for data leakage due to their characteristics of collecting large amounts of user information over time. Experts said, “Before the advent of HTML5 local storage related technologies, CoOkie is the only way to save user data on the client, but the cookie itself has many problems, such as size restrictions, plain text storage, etc. However, its biggest problem is security. Many security holes result from the theft of cookies. “

    After the “GDPR” came into effect, many websites started adding cookie notifications, but this did not have a good effect on privacy protection. Therefore, companies such as Apple and Google began to ban third-party cookies from the source to solve this problem .

    Different voices from developers

    A developer named Aral Balkan wrote an article on his blog titled “Apple just killed Offline Web Apps while purporting to protect your privacy: why that’s A Bad Thing and why you should care “. From the title you can see the radicality of the point of view, but the content is actually the same.

    In his opinion, completely blocking third-party cookies to protect privacy just looks beautiful, and the rule of clearing local storage for 7 days completely prevents any future decentralized applications from using the browser (client) as a The possibility of trusted replication nodes in the network.

    Further, he believes that Apple appears to be concerned about privacy on the surface, in fact, because many manufacturers’ practices violate the core purpose of using privacy as a business model.

    “You can almost think they will use the App Store for something.”

    Balkan’s views, while radical, are not entirely unreasonable. In fact, this is exactly where Apple has been blamed. Earlier on Hacker News, developers had extensively discussed Apple’s obstacles to Web technology on its own platform.

    The software technology behind the programming language used to build the app allows developers to “reuse” the code they write for web programs when developing products that support operating systems such as Linux, Android, Windows, and macOS. But Apple doesn’t like this kind of web technology recycling. It wants the Mac App Store to be full of applications that you can’t find anywhere else. It doesn’t want to flood the apps with applications that can be seen on various platforms. Store.

    For example, the previous Apple Mac App Store ban on Electron: these applications “try to hide the use of private APIs.” Apple’s reasoning is that these privatized APIs existPotential risks, this reason is not a problem in itself, but considering the fact that Electron has been using the privatized API for many years and even significantly improved power consumption, and the fact that the tools recommended by Apple make the user experience worse, it has to be thought-provoking. .

    Apple has also prevented the introduction of Progressive Web Applications (PWA), a technology that, like Electron, allows developers to build native apps for desktop and mobile. Apple’s approach is to implement only a part of the standard, and as a result it is far from the full standard, making it difficult for developers to rely on. If the user can launch the PWA application in Chrome or Firefox, these problems will not occur, but iPhone and iPad users cannot install third-party browsers, and Apple Corporation has closed the way for users to use PWA technology.

    In China, the love and hatred of applets and Apple is more known to developers, so I wo n’t repeat them here. Reference: applet: an escape attempt .

    As far as things go, Apple’s move is commendable. But can disabling third-party cookies protect user privacy? Not necessarily. Some people say that the Internet is starting to become insecure because security people have come out. I don’t lie to this statement.