[Openid-specs-ab] ITP 2.3

George Fletcher gffletch at aol.com
Tue Sep 24 16:17:41 UTC 2019

Apple has released additional changes in ITP 2.3 [1]

Since ITP 2.2, several trackers have announced their move from 
first-party cookies to alternate first-party storage such as 
LocalStorage. ITP 2.3 counteracts this in the following way:
1. website.example will be marked for non-cookie website data deletion 
if the user is navigated from a domain classified with cross-site 
tracking capabilities to a final URL with a query string and/or fragment 
identifiers, such as "website.example?clickID=0123456789".
2. After seven days of Safari use without the user interacting with a 
webpage on website.example, all of website.example's non-cookie website 
data is deleted

Since the OIDC/OAuth authorization_code response contains a query 
element, if the IDP is labeled by Safari as a "tracker" then the RP's 
site will be subject to these restrictions.

At the very least it will require a login 7 days after last access of 
the user to the RP.


[1] https://webkit.org/blog/9521/intelligent-tracking-prevention-2-3/

More information about the Openid-specs-ab mailing list