Under-the-hood feature changes aim to boost user privacy


WebKit, the Safari browser engine, has strengthened the methods it deploys to prevent tracking on the web.

A new set of updates create further limitations to the information that can be disclosed to third parties through requests such as those found in a referrer header.

The referrer header contains details related to the website a user has come from. Third parties can use this data for tracking and analytics. The referrer header can also be used for link decoration – putting trackers in URLs.

Vulnerabilities – such as session tokens being leaked – can also occur as a result of the referrer header. 

The changes made by WebKit mean that the browser engine will now only provide the web page’s origin in all third-party requests.

“As an example, a request to https://images.example that would previously contain the referrer header https://store.example/baby/strollers/deluxe-stroller-navy-blue.html will now be reduced to just https://store.example/,” John Wilander, software engineer at Apple, said in a blog post published on Tuesday (December 10).

This is an enhancement to WebKit’s Intelligent Tracking Prevention (ITP) feature, which already limits how domain owners can track web users.

Updates will be applied by default to Safari on iOS and iPadOS 13.3, Safari 13.0.4 on macOS Catalina, Mojave, and High Sierra, according to the WebKit announcement, and also bring improvements to privacy regarding third-party cookie requests.

“ITP will now block all third-party requests from seeing their cookies, regardless of the classification status of the third-party domain, unless the first-party website has already received user interaction,” Wilander said.


Read more browser security news from The Daily Swig


The use of the ITP feature will no longer be apparent, in addition to these changes – the absence of cookies, for example, formerly revealed whether a domain was targeted by anti-tracking technology.

The Storage Access API will also consider Safari’s standard cookie policy – a request made by developers to improve usability.

“As of this ITP update, the Storage Access API takes Safari’s cookie policy into consideration when handling calls to document.hasStorageAccess(),” Wilander said.

“Developers have asked for this change because previously document.hasStorageAccess()could resolve with true but the iframe still couldn’t set cookies because of the cookie policy.”

WebKit has had a tracking prevention policy since August of this year, implemented to protect user privacy and inspired by similar features provided by Mozilla.


YOU MIGHT ALSO LIKE Project Zero disclosed UXSS in Safari WebKit