A change to the way WebKit handles some internet cookies means that Safari 16.4 will invalidate them more frequently in the name of privacy. But that could also mean that users have to log into their accounts more often as well.
The change, which is built into the underlying WebKit browser engine and implemented as part of the recent Safari 16.4 release, isn't specifically mentioned in Apple's release notes. But it's been spotted by WebKit experts and shared on Twitter.
WebKit developers say that the change is designed to prevent third-party cookies from masquerading as first-party ones — something some websites and services appear to have been doing to help them track users across the web.
Security matters
The change is detailed in a WebKit pull request on GitHub.
The request says that while Safari already caps the lifetime of cookies to seven days if it suspects them to be third-party cookies pretending to be first-party ones, this new change goes a step further.
The explanation is a complicated one, but the gist is that some cookies have been using "CNAME cloaking" to confuse Safari into thinking they're from the website's owner, not a third party. That party could be some sort of analytics company for example.
With Safari 16.4 installed, the browser will look for more telltale signs that something isn't as it should be with the cookie in question. If it's deemed not to be a first-party one at all, it'll be set to time out after just a week.
Some have suggested that Google Tag Manager is the target of such a change, although there are likely other implications for other services. Tag Manager is a tool that allows website analytics and more.
If you thought Apple couldn't eliminate more data / cookies along comes Safari 16.4.Server set FIRST PARTY cookies now max 7 days (conditions described in original PR below).This aimed squarely at Google Tag Manager but affects every server-side proxy. It's War on the web. pic.twitter.com/buTSgpcyyiApril 5, 2023
This is all being done in the name of privacy and will likely help prevent people from being tracked when browsing the web. But it could also have an unintended impact on logins as well.
Experts worry that login sessions could be caught in the crossfire, with their session cookies also forced to time out after seven days. The result would mean users have to log back into websites after a week unless they visit the site and obtain a new cookie sooner.
Critics are already suggesting that this move in particular goes against the idea of an open web, although Apple will no doubt see things very differently.
As always, the best iPhone, Mac, and iPad is one that's safe and secure. But it could well make life difficult for website and service builders who rely on the tools and analytics that this cookie change will impact.
