Nov 16, 2020 06:00:00

Safari 14 uses tricks to prevent third-party cookies that have passed the regulation

Since the March 24, 2020 update, Apple's web browser, Safari

, now blocks third-party cookies by default, preventing advertisers and others from tracking users across a wide range of sites. .. In response to this, advertisers used techniques such as 'CNAME cloaking' and 'bounce tracking' to circumvent the regulation, but it was announced on the development blog that the update of Safari 14 will eliminate these loopholes. It was.

CNAME Cloaking and Bounce Tracking Defense | WebKit
https://webkit.org/blog/11338/cname-cloaking-and-bounce-tracking-defense/

CNAME is one of the DNS record types, and you can set it to transfer access to another domain name while maintaining the domain you are connecting to. Since third-party cookies have been blocked, advertisers can set a CNAME to their domain as a subdomain of their site, making the third-party cookie as if it were a cookie for that site. We developed a method to make it behave ' CNAME cloaking ' and used it as a loophole.

If such a method is used, not only can tracking across multiple sites not be prevented, but there is also a risk of website hijacking and cookie hijacking if CNAME records are not properly managed. ..

Safari responded to this loophole with an update, and changed to check the CNAME forwarding destination and check the final access destination when resolving the domain name. Cookies now have a 7-day expiration date if the final destination is a third party.

At the same time, countermeasures have also been taken against a method called ' bounce tracking ' that recognizes third-party cookies as the first party by immediately redirecting to the original site after accessing another site once. It is said that there is.

Note that CNAME cloaking measures do not apply if you are using a version of macOS Catalina or earlier. Those who are concerned about browsing privacy should update to macOS Big Sur as soon as possible.