[Openid-specs-ab] ITP 2.3
George Fletcher
gffletch at aol.com
Tue Sep 24 16:17:41 UTC 2019
Apple has released additional changes in ITP 2.3 [1]
Since ITP 2.2, several trackers have announced their move from
first-party cookies to alternate first-party storage such as
LocalStorage. ITP 2.3 counteracts this in the following way:
1. website.example will be marked for non-cookie website data deletion
if the user is navigated from a domain classified with cross-site
tracking capabilities to a final URL with a query string and/or fragment
identifiers, such as "website.example?clickID=0123456789".
2. After seven days of Safari use without the user interacting with a
webpage on website.example, all of website.example's non-cookie website
data is deleted
Since the OIDC/OAuth authorization_code response contains a query
element, if the IDP is labeled by Safari as a "tracker" then the RP's
site will be subject to these restrictions.
At the very least it will require a login 7 days after last access of
the user to the RP.
Thoughts?
[1] https://webkit.org/blog/9521/intelligent-tracking-prevention-2-3/
More information about the Openid-specs-ab
mailing list