Some services are requesting storage access on every click or tap, regardless of previous interactions with the user. Users have asked us to cap the number of times they can get asked for storage access by a specific piece of embedded web content. Note that a returned true does not guarantee that the third-party can set cookies since Safari’s default cookie policy is to deny cookies for third-parties if they don’t already have cookies. Developers were confused when document.hasStorageAccess() returned false but ITP was off. Make document.hasStorageAccess() return true when ITP is off.This meant the user had to tap or click again to be shown a popup to log in to the third-party service. when the requesting domain was classified by ITP and had not received user interaction as first-party website the last 30 days of Safari use. when the user is prompted and picks “Don’t allow.” Previously the gesture was also consumed when the promise was rejected without a user prompt, i.e. Only consume the user gesture (tap or click) when the user explicitly denies access, i.e.Updates To the Storage Access API Developer Enhancement Requestsĭevelopers have asked us for two changes to the Storage Access API, and we’re happy to provide them in Safari on iOS 13 beta, iPadOS beta, and macOS Catalina beta: When social.example’s script on website.example reads document.referrer to retrieve and store the click ID, ITP will make sure only is returned.įor further reading on misuse of the referrer and changes coming to browsers in general, see the WHATWG Fetch issue Limit the length of the Referer header. Say the user is navigated from social.example to website.example and the referrer is. ITP 2.3 counteracts this by downgrading document.referrer to the referrer’s eTLD+1 if the referrer has link decoration and the user was navigated from a classified domain. Our research has found that trackers, instead of decorating the link of the destination page, decorate their own referrer URL and read the tracking ID through document.referrer on the destination page. By limiting the ability to use any script-writeable storage for cross-site tracking purposes, ITP 2.3 makes sure that third-party scripts cannot leverage the storage powers they have gained over all these websites. Now those scripts are being repurposed to circumvent browsers’ protections against third-party tracking. Site owners have been convinced to deploy third-party scripts on their websites for years. The reason why we cap the lifetime of script-writable storage is simple. Put differently, ITP 2.3 caps the lifetime of all script-writeable website data after a navigation with link decoration from a classified domain. Together with ITP’s capped expiry of client-side cookies, this change removes trackers’ ability to use link decoration combined with long-term first-party website data storage to track users. After seven days of Safari use without the user interacting with a webpage on website.example, all of website.example’s non-cookie website data is deleted.website.example will be marked for non-cookie website data deletion if the user is navigated from a domain classified with cross-site tracking capabilities to a final URL with a query string and/or a fragment identifier, such as website.example?clickID=0123456789.ITP 2.3 counteracts this in the following way: Since ITP 2.2, several trackers have announced their move from first-party cookies to alternate first-party storage such as LocalStorage. Capped Lifetime For All Script-Writeable Website Data Unfortunately, we see continued abuse of link decoration, so ITP 2.3 takes two new steps to combat this. With ITP 2.2, when a webpage is navigated to from a domain classified by ITP and the landing URL has a query string or fragment, the expiry of persistent client-side cookies created on that page is 24 hours. Our previous release, ITP 2.2, focused specifically on the abuse of so-called link decoration for the purposes of cross-site tracking. Enhanced Prevention of Tracking Via Link Decoration Intelligent Tracking Prevention (ITP) version 2.3 is included in Safari on iOS 13, the iPadOS beta, and Safari 13 on macOS for Catalina, Mojave, and High Sierra. Note: Read about past updates to this technology in other blog posts about Intelligent Tracking Prevention, the Storage Access API, and ITP Debug Mode.
0 kommentar(er)
