Apple changes Safari's cookie killer to fix Facebook's Like buttons

Apple has made its anti-tracking feature in Safari friendlier to social media.
Written by Liam Tung, Contributing Writer

Video: How to customize Control Center in iOS 11

Apple has introduced a new programming interface for Safari's privacy feature, Intelligent Tracking Prevention, to assist social networks, social-media widgets, and embedded videos.

Apple rolled out ITP in iOS 11 to block marketers from tracking users across sites by imposing time-based limits on cookies and partitioning them. The feature puts a 24-hour limit on third-party cookies and deletes a site's cookies unless the user visits the site within 30 days.

While it improves Safari users' privacy, as Apple WebKit developer John Wilander explained in a post on Thursday, ITP broke valid features of social networks such as commenting fields, Like buttons and video content that are embedded on third-party websites.

Due to the way ITP treats cookies, if a person hasn't used Facebook in the past 24 hours, Safari would prevent them from commenting and liking content on third-party sites. This block happens because the third-party content doesn't have access to its first-party cookies.

"ITP will detect that such multi-page embeds gives socialexample.org the ability to track the user cross-site and therefore deny embedded content from socialexample.org access to its first-party cookies, providing only partitioned cookies," explained Wilander.

"This breaks the user's ability to comment and like content unless they have interacted with socialexample.org as a first-party site in the past 24 hours."

The same issue affects integrated third-party payment providers, embedded third-party videos, embedded documents, and other social widgets.

Shortly after Apple rolled out ITP with iOS 11, Facebook warned developers of this impact on its social plugins, analytics and login.

"Users interacting with facebook.com within the past 24 hours will be able to use Social Plugins normally on the sites they visit," Facebook told developers in October.

"Anyone using Safari who does not visit facebook.com on a daily basis will be required to go through an additional confirmation screen to use Facebook's Social Plugins such as Like, Comment or Share. Those who don't visit facebook.com for more than 30 days in Safari may have to relog in with their username and password to use these features or use Facebook Login."

Apple's answer to the problem is the Storage Access application programming interface (API) for ITP, which allows "third-party embeds to request access to their first-party cookies when the user interacts with them", for example, by tapping or clicking a button.

It will mean a Facebook iframe has access to the same cookies as Facebook and allows the third-party embed to authenticate when the user clicks. Wilander notes this solution is specifically not about giving third-party iframes access to the site that is embedding content.

Wilander warned that WebKit developers will add friction to the Storage Access API if it's abused. Currently users aren't promoted when an iframe calls the API, but it could change this if it detects abuse.


Apple rolled out ITP in iOS 11 to block marketers from tracking users across sites.

Image: CNET

Previous and related coverage

iOS 11 rolls out today with Safari anti-tracking: Here's why advertisers hate it

Ad industry pleads for Apple to change tack with Safari's new privacy feature.

iOS 11 upgrade tips: Here's how to get your iPhone or iPad ready

Here's what you need to do to make sure your upgrade goes smoothly and that you don't lose any data.

Editorial standards