Expiration cap removed from JavaScript cookies in Webkit browsers

- Advertisement -

If you remember, in February 2019, Apple published a post on the WebKit blog, introducing version 2.1 of their Intelligent Tracking Prevention browser mechanism.

- Advertisement -

In this version, Safari (and soon all WebKit browsers, including the Browser app on iOS and iPadOS) placed an expiration limit on browser cookies set with JavaScript. It was no longer possible to set an expiration date more than 7 days in the future.

- Advertisement -

As recently as the 2022 release (I don’t have the exact date or version number), WebKit has now modified this mechanism to no longer set an expiration limit on JavaScript cookies.

- Advertisement -

This does not mean that WebKit has rolled back the change from ITP 2.1. Instead, it means that WebKit is replacing the restrictions imposed on all script-writable storage, which includes JavaScript cookies.


Simar Newsletter

Subscribe to the Simar Newsletter to receive the latest news and content from Simo Ahwa delivered to your email inbox!

All script-writable storage is removed when the site is no longer interacted with

Webkit browsers already had a tracking prevention policy for other script-writable storage. This includes:

IndexedDB localStorage media keys sessionStorageService worker registration and cache

The policy is that if the Site does not receive user interaction (click, tap, or keyboard input) within 7 days of browser use, all this script-writable storage for the Site is deleted.

Note that 7 days of browser usage is not the same as 7 calendar days. The user may use the browser every day, in which case they are the same thing, or the user may take a break of days, weeks, or months between days of using the browser.

Browser usage in 7 days

With this recent change, JavaScript cookies are now included in this list of storage mechanisms that are purged.

To prevent this deletion from occurring, the user must visit the website and perform a meaningful user interaction (click, tap, or keyboard input) with the site in the first-party context (therefore loading the site in an embedded iframe on its own). You will not) ) This resets the deletion timer back to 0.

Note that embedding the site in an iframe and using the Storage Access API with it counts as meaningful interaction with the site and also resets the deletion timer.

The 24-hour expiration limit still applies in some cases

In ITP 2.2, WebKit introduced an additional limitation on first-party cookies.

If the user clicks on a link on a website whose domain is classified by ITP as having tracking capabilities, and the link contains URL query parameters and/or hash fragments, JavaScript cookies set on the page that the user navigates to But an additional limit is placed. ,

In such cases, any JavaScript cookie set on the page will expire for a maximum of one day.

This remains unchanged and places a major constraint on cookies set by companies such as Google or Meta after a user clicks on an advertisement or “regular” link while using these platforms.


After a long period of little activity, it looks like WebKit is getting into another round of tracking prevention to stay ahead of the cat-and-mouse game with advertising technology.

In Safari Technology Preview 157, a new feature is being tested that will limit the expiration of cookies set in HTTP response headers to 7 days only if the response originates from a server whose IP address is subnet from the site making the request. does not match. Yes, it’s a mouthful. You can check out my Mastodon post and Corey Underwood’s blog post on the subject for more details.

This places limits on how effective solutions such as server-side Google Tag Manager are at creating more durable first-party cookies.

With this recent change in how JavaScript cookies no longer have an expiration date, we come to an interesting conclusion: In many cases it is possible that JavaScript cookies live much longer than their HTTP counterparts.

The expiration of an HTTP response cookie set from servers behind third-party CNAMEs or third-party IP addresses will be limited to seven days only. JavaScript cookies have no expiration (although a maximum of 400 days may be introduced at some point).

However, for this to happen, the user will still need to visit the site from time to time and have a meaningful interaction with it. Just using the browser is not enough.

However, I won’t read too much into it. The difference between 7 days of browser usage and 7 calendar days is often non-existent. So I would not assume that this change will “improve” your analysis data excessively, for example.

Source link

- Advertisement -

Recent Articles

Related Stories