RIP CSRF?
The latest version of Apple’s Safari web browser offers enhanced privacy and security measures through full third-party cookie blocking.
Safari 13.1, available on iOS and macOS, includes a new feature that blocks cookies for cross-site resources by default – a tightening of previously introduced restrictions in the WebKit browser engine.
The move bolsters privacy since it disables login fingerprinting, a technique that means a website can, for example, use images to determine if a user is logged in to a particular service.
It also improves security by offering enhanced protection against cross-site request forgery (CSRF), a common class of web security flaw.
John Wilander, an Apple WebKit engineer behind Safari’s Intelligent Tracking Prevention technology, stated in a blog post that full third-party cookie blocking “disables cross-site request forgery attacks against websites through third-party requests”.
Other security experts, such as Google’s Tavis Ormandy, reckoned that the development, while nonetheless welcome, only prevents some – rather than all – classes of CSRF attacks.
Wilander, for his part, disputes these criticisms.
Top-level CSRF attacks would not be protected by the new WebKit feature. This is where sub resources aren’t used and, for example, a form post is executed in the main navigation and not in an iFrame.
Both Wilander and Ormandy agreed on this point during a lively debate on the topic on Twitter.
Web developers that legitimately need cookie access as third parties are advised to use the Storage Access API as an alternative.
Script-writable storage time limits
Apple’s latest update also means that the Intelligent Tracking Prevention technology built into the WebKit browser engine will purge all of a website’s script-writable storage after seven days of user inactivity on that site.
The inactivity deletion feature affects content including IndexedDB, LocalStorage, and Service Worker registrations.
At least some developers have expressed concerns that the time limit will damage the appeal and utility of offline web applications.
In addition, the move to block third-party cookies results in all cross-site document referrers being downgraded to their origin.
“This matches the already downgraded cross-site referrer request headers,” Wilander explained.
Read more of the latest browser security news
By downgrading the referrer to origin, this effectively removes the path of the URL and is therefore better for privacy.
Wilander concluded by encouraging developers to test their websites for compatibility with the release.
The latest update of Apple’s flagship browser also patches various security issues in Safari and Webkit.
The fixes include patches for five separate memory corruption issues in WebKit that can each result in code execution along with a fix for a input validation issue that creates an cross site scripting risk in unpatched browsers.
