Apple changes a Safari privacy feature that "breaks" Facebook's Like button

Apple has tweaked Safari’s Intelligent Tracking Prevention (ITP) system to make it easier for developers to use Facebook’s “Like” on the web. 

Apple rolled out ITP for Safari on macOS and iOS in September to restrict the use of  third-party cookies to track Apple users across sites. Apple pitched it as a boon to use privacy however the effort was seen to advantage Google and Facebook. At the same time, Facebook soon warned the privacy feature would impact developers that use its social plugins, analytics and login features. 

ITP restricted third-party cookies to 24 hours and deleted a site’s cookies if a user didn’t visit that site within a month. This had a knock-on effect for developers who relied on Facebook cookies to use social features such as its Like button.  

As Facebook explained a few weeks after Apple rolled out ITP, Safari would delete Facebook cookies for people who hadn’t visited Facebook directly in the last 30 days. This created friction for visitors to sites that support Facebook’s Like and Share buttons.

“Anyone using Safari who does not visit facebook.com on a daily basis will be required to go through an additional confirmation screen in order to use Facebook's Social Plugins such as Like, Comment or Share. Those who don't visit facebook.com for more than 30 days in Safari may have to re-login with their username and password in order to use these features or use Facebook Login,” Facebook said. 

Apple’s cookie cutting also affected the accuracy of Facebook Analytics’ mobile statistics and broke Facebook’s simple sign-in service that allowed people to to log in to an app once per device rather than having to use a password every time they log in. 

Apple intended for the privacy system to allow a person to login to sites using social media accounts while restricting the use of cookies for cross-site tracking. 

Apple has now acknowledged Facebook’s concerns and provided a solution called the Storage Access programming interface (API).

According to Apple, users of a company that doesn't use the API would experience this: “Let’s say that socialexample.org is embedded on multiple websites to facilitate commenting or “liking” content with the user’s socialexample ID. ITP will detect that such multi-page embeds gives socialexample.org the ability to track the user cross-site and therefore deny embedded content from socialexample.org access to its first-party cookies, providing only partitioned cookies. This breaks the user’s ability to comment and like content unless they have interacted with socialexample.org as first-party site in the last 24 hours.”

Safari WebKit representative John Wilander said that third-party payment providers and embedded video services are also affected: “As soon as ITP detects their tracking abilities, it denies them first-party cookie access outside the 24 hour window, and the embedded content treats the user as logged out even though they are logged in. 

Wilander notes that they Storage Access API allows “third-party embeds to request access to their first-party cookies when the user interacts with them.”

The Storage Access API is available in Safari 11.1 on iOS 11.3 beta, described by Apple as a “Enhanced consistency of cross-site tracking protection behaviors.” It’s also available in Safari 11.1 macOS High Sierra 10.13.4 beta, and Safari Technology Preview 47+. 

Apple notes that it is watching out for abuse of the API in part because it will not prompt the user when an site calls the API. 

“We have decided not to prompt the user when an iframe calls the Storage Access API to make the user experience as smooth as possible. ITP’s rules are an effective gatekeeper for who can be granted access, and for the time being we rely on them," writes Wilander. 

“However, we will monitor the adoption of the API and make changes if we find widespread abuse where the user is clearly not trying to take some authenticated action in the calling iframe. Such API behavior changes may be prompts, abuse detection resulting in a rejected promise, rate limiting of API calls per origin, and more.”