Apple's WebKit team has published a "WebKit Tracking Prevention Policy" that details a range of anti-tracking measures it has developed and the types of tracking practices it believes are harmful to users.
Inspired by Mozilla's anti-tracking policy, the document posted to the WebKit blog provides an insight into the anti-tracking features built into Apple's Safari browser that the team hopes to see in all browsers one day.
This document describes the web tracking practices that WebKit believes, as a matter of policy, should be prevented by default by web browsers. These practices are harmful to users because they infringe on a user's privacy without giving users the ability to identify, understand, consent to, or control them.
Apple introduced Intelligent Tracking Prevention in iOS 11 and in Safari 11 in macOS High Sierra 10.13 and has been working to develop ITP ever since. For example, in February Apple released iOS 12.2 and Safari 12.1 for macOS, both of which included ITP 2.1 featuring enhancements that block cross-site tracking.
The new WebKit policy highlights Apple's continuing efforts to target all forms of cross-site tracking behavior, even if it's in plain view.
WebKit will do its best to prevent all covert tracking, and all cross-site tracking (even when it’s not covert). These goals apply to all types of tracking listed above, as well as tracking techniques currently unknown to us.
If a particular tracking technique cannot be completely prevented without undue user harm, WebKit will limit the capability of using the technique. For example, limiting the time window for tracking or reducing the available bits of entropy — unique data points that may be used to identify a user or a user’s behavior.
In addition to cross-site tracking, the document outlines several other tracking practices it deems harmful to users, and says WebKit will treat circumvention of its anti-tracking measures "with the same seriousness as exploitation of security vulnerabilities."
If a party attempts to circumvent our tracking prevention methods, we may add additional restrictions without prior notice. These restrictions may apply universally; to algorithmically classified targets; or to specific parties engaging in circumvention.
For more on tracking definitions, the unintended impact of anti-tracking measures, and exceptions to the rules, check out the full WebKit Tracking Prevention Policy on the WebKit blog.
Safari is one of the most important apps on the iPhone and iPad, allowing iOS users to access the web on their devices. Safari is one of the apps that routinely gets updated when new versions of iOS are released, and iOS 13 is no exception.
Safari in iOS 13 offers a whole range of useful updates, from an updated start page to a new download manager. Below, we walk through all of the new and important features in Safari in iOS 13.
Safari in iOS 13 has a revamped start page (the page that's available when you open a new Safari window or tab) that now incorporates Siri Suggestions and other features.
The start page includes access to your favorite websites as usual, but Siri Suggestions will also surface relevant websites in your browsing history along with frequently visited sites, links sent to you in the Messages app, and more.
The new start page is designed to let you get to what most interests you quickly, and it makes sure you don't forget to check out websites recommended to you by friends and family.
Website View Menu
In the Smart Search field where you can search or type in URLs, there's a new icon on the left denoted by two As.
Tapping on this icon opens up the new Website View menu, where you can access the following controls:
Text Size Options - Adjust the size of the text on the website you're on.
Enable Reader View - Enable Reader View on the website you're on, which gets rid of ads and formatting for a clean book-style reading interface.
Hide Toolbar - Eliminates the Toolbar so you can see the webpage you're on full screen.
Request Desktop Website - Loads the desktop version of a website instead of the mobile version. This feature is for the iPhone, as the iPad now automatically loads desktop versions of websites instead of mobile versions. This turns into "Request Mobile Website" if the desktop site is already loaded.
Website Settings - Provides access to individual settings for each website. You can set the site you're on to load in Reader view automatically or to always load as a desktop website. You can also enable or disable content blockers on a per-site basis, and toggle access to the camera, microphone, and you're location. You can view sites where you've customized the settings in the Safari section of the Settings app under "Website Settings."
In the Safari section of the Settings app, there are new per-site controls that let you adjust everything from page zoom to privacy settings for all of the websites you visit (with settings for individual sites customizable using the View Menu mentioned above).
Custom settings you've set will also be listed here along with the toggles to control all websites by default. Available settings:
Page Zoom - Sets the page zoom level for all websites from 50 percent to 300 percent. The default is 100 percent.
Request Desktop Website - Lets you enable Request Desktop Site for all websites by default.
Enable Reader View - Lets you enable Reader View for all websites by default. Sites with a Reader mode will always load in that view.
Enable/Disable Content Blockers - Lets you toggle on or toggle off content blockers for all websites.
Camera Access - Controls camera access. Available settings are Ask, Deny, and Allow.
Location Access - Controls location access. Available settings are Ask, Deny, and Allow.
Microphone Access - Controls microphone access. Available settings are Ask, Deny, and Allow.
If you've enabled some of these settings on a per-site basis using the View Menu, such as turning on Request Desktop Site for MacRumors.com, you can disable the presets or delete them in the Website Settings section using the Edit menu for each category.
There's also an option to clear all settings when using this view.
When uploading a photo to a website in Safari, you can now choose what size image to upload. Options include Actual Size, Large, Medium, and Small, with each option providing the file size at the bottom of the display once it's selected.
Saving Open Tabs as Bookmarks
Safari in iOS 13 includes a new feature that lets you bookmark all of your open tabs. To get to it, long press on the bookmark icon at the bottom of the Safari window, and then choose "Add Bookmarks for [x] Tabs."
Selecting this will provide you with an interface where you can choose a new folder name and location for the bookmarks to be saved.
You can open up all the bookmarks that you've saved into new tabs (or bookmarks from any other folder) by opening up the Bookmarks interface, long pressing on the folder, and selecting the new "Open in New Tabs" option. There's also an option to copy the contents, which has also been added in iOS 13.
When you start typing the address of a website that's already open in another tab, Safari will direct you to the open tab in iOS 13 rather than opening up a new tab. This makes sure you don't open unnecessary tabs.
Automatically Close Safari Tabs
If you want to set your Safari tabs to automatically close after a set period of time, there's a new option to do so in the Safari section of the Settings app.
Open up Settings, choose Safari, scroll down to where it says "Close Tabs" and select the option that you want. The default setting is manual, which means tabs won't close unless you close them yourself, but you can also set tabs to clear automatically after one day, one week, and one month.
Redesigned Share Sheet
The Share Sheet in iOS 13 has been redesigned, making options like Copy, Add to Reading List, Add Bookmark, and more easier to get to with a new list-style view.
Multiple contact suggestions are also included in the Share Sheet now, including people you've recently spoken to in Messages and AirDrop devices that are nearby.
There's a new feature for sharing an entire web page as a link, a PDF, or in Reader view from the Share Sheet, and through the "Options" interface, you can choose whether to send content as a PDF or a Web Archive. By default, though, iOS 13 will pick "the most suitable format" for each app or action.
Sign In With Apple
Though not enabled in the beta right now, Apple is introducing a new Sign In with Apple feature that's a privacy-focused alternative to existing sign-in options from companies like Twitter, Google, and Facebook.
Sign In with Apple is designed to let you sign in with various apps and websites using your existing Apple ID as an authentication method. Unlike sign in options from Google, Twitter, and Facebook, Apple's new option doesn't track or profile you when using Sign In with Apple.
With Sign In with Apple, there's no need to create a login name or email address when signing up for a new website account. Sign In with Apple is authenticated via Face ID or Touch ID, and your information is further protected with two-factor authentication.
If you don't want to share your email address with an app or service that uses Sign In with Apple, Apple has created a "Hide My Email" feature to let you create unique single-use email addresses that forward to your real email address while keeping it inaccessible to third-party apps and services.
Sign In with Apple is designed to work in Safari on iOS, Safari on Mac, in apps, and on other platforms.
Weak Password Warnings
When signing up for a new website account, if you attempt to use a weak password, Safari will give you a warning and suggest a stronger password.
In iOS 13, Safari history and open tabs that have been synced to iCloud are protected with end-to-end encryption, which means that no one but you can access your browsing history.
Enhanced Anti-Fingerprinting Protections
Apple has bolstered anti-fingerprinting protections in Safari in iOS 13, adding new protections related to browser fonts. Anti-fingerprinting techniques prevent companies from tracking your web browsing activities from website to website.
Safari features a new Download Manager that matches the Download Manager in Safari for desktop. When you choose to download a file, such as an image, a little download icon is displayed in the top right corner of the display.
Tapping on the icon will let you see a list of files that you've downloaded, and tapping on the magnifying glass next to any file opens its enclosing folder.
By default, your downloaded Safari files are saved in a "Downloads" section of the Files app, but you can customize the file storage location by opening up the Settings app, selecting the Safari section, and tapping on the "Downloads" section.
You can choose to save files in iCloud Drive, on your iPhone, or in another location such as a different iCloud folder, Dropbox, or another cloud service.
Items in your Safari Download Manager can be set to be deleted after one day, upon successful download, or manually. One day is the default.
While all of the above features are available on both the iPhone and the iPad, there are some additional changes and updates that were added into iPadOS, the version of iOS 13 that's designed to run on the iPad.
All websites on the iPad now display in desktop mode rather than mobile view, better mimicking the viewing experience that you get on a Mac.
Safari on iPadOS introduces 30 additional shortcuts that can be used when browsing, similar to the shortcuts that can be used for Safari on a Mac.
The new keyboard shortcuts work with the Smart Keyboard from Apple or any third-party Bluetooth keyboard.
Use default font size in Reader (Command + 0)
Open link in background (Command + tap)
Toggle downloads (Command + Alt/Option)
Open link in new window (Command + Alt + tap)
Use selection for Find (Command + E)
Email this page (Command + I)
Open link in new tab (Command + Shift + tap)
Decrease Reader text size (Command + -)
Zoom in (Command + +)
Zoom out (Command + -)
Save webpage (Command + S)
Change focused element (Alt/Option + tab)
Focus Smart Search field (Command + Alt/Option + F)
Dismiss web view in app (Command + W)
Increase Reader text size (Command + +)
Download linked file (Alt + tap)
Add link to Reading List (Shift + tap)
Close other tabs (Command + Alt/Option + W)
Scroll around screen (arrow keys)
Paste without formatting (Command + Shift + Alt/Option + V)
New Private tab (Command + Shift + N)
Actual size (Command + 0)
Open search result (Command + Return)
Toggle bookmarks (Command + Alt/Option + 1)
Full Toolbar in Split View
When using Safari in Split View, the full toolbar is now displayed. In iOS 12, the search bar was visible, but none of the additional tools for doing things like accessing bookmarks, getting to the Share Sheet, and more.
Creating New Windows
iOS 13 supports multiple windows from the same app in Split View, and to create two Safari windows, you can drag a link from one Safari window into to another to open Split View or Slide Over.
Dragging a link into a multitasking window with another app already open will open Safari as the secondary window. So, for example, you can open up Messages, receive a link, and drag it to create a Split View interface that has Safari (with the webpage in the link) and Messages open.
Have questions about Safari, know of an iOS 13 Safari feature we left out, or want to offer feedback on this guide? Send us an email here.
Apple says all TLS server certificates must comply with these new security requirements in macOS Catalina and iOS 13:
TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.
Effective immediately, any connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in macOS Catalina and iOS 13, according to Apple.
Google, Microsoft, and Mozilla all deprecated SHA-1 certificates in 2017.
Apple today previewed a new Safari feature called Privacy Preserving Ad Click Attribution that it says will allow advertisers to measure the effectiveness of their ad campaigns on the web without compromising user privacy.
Wilander says the traditional method of ad click attribution has no practical limit on data, allowing for full cross-site tracking of users using cookies. "We believe this is privacy invasive and thus we are obliged to prevent such ad click attribution from happening in Safari and WebKit," he wrote.
Thus, Apple has proposed a modern solution that it says doesn't allow for cross-site tracking of users but does provide a means of measuring the effectiveness of online ads. The feature is built into the browser itself and runs on-device, meaning that the browser vendor does not see any of the ad data.
Here is Apple's summary of its privacy considerations for the feature:
Only links served on first-party pages should be able to store ad click attribution data.
Neither the website where the ad click happens nor the website where the conversion happens should be able to see whether ad click data has been stored, has been matched, or is scheduled for reporting.
Ad clicks should only be stored for a limited time, such as a week.
The entropy of both ad campaign ID and conversion data needs to be restricted to a point where this data cannot be repurposed for cross-site tracking of users. We propose six bits each for these two pieces of data, or values between 0 and 63.
Ad click attribution requests should be delayed randomly between 24 to 48 hours. This makes sure that a conversion that happens shortly after an ad click will not allow for speculative cross-site profiling of the user. The randomness in the delay makes sure the request does not in itself reveal when during the day the conversion happened.
The browser should not guarantee any specific order in which multiple ad click attribution requests are sent, since the order itself could be abused to increase the entropy and allow for cross-site tracking of users.
The browser should use an ephemeral session aka Private or Incognito Mode to make ad click attribution requests.
The browser should not use or accept any credentials such as cookies, client certificates, or Basic Authentication in ad click attribution requests or responses.
The browser should offer a way to turn ad click attribution on and off. We intend to have the default setting to be on to encourage websites to move to this technology and abandon general cross-site tracking.
The browser should not enable ad click attribution in Private/Incognito Mode.
Privacy Preserving Ad Click Attribution is available as an experimental feature in Safari Technology Preview 82 and later. To turn on the feature, enable the Develop menu and navigate to the Experimental Features submenu.
Apple says the feature will be turned on for web developers later this year. The company has also recommended it as a web standard to the W3C.
The 19th annual CanSecWest security conference is underway in Vancouver, Canada, including the annual Pwn2Own hacking contest, and two zero-day security vulnerabilities have so far been discovered in Safari on macOS.
The contest kicked off on Wednesday with security researchers Amat Cama and Richard Zhu teaming up against Safari. The duo successfully exploited the browser and escaped the sandbox by using a combination of an integer overflow, heap overflow, and brute force technique, earning them $55,000.
Later in the day, a trio of Niklas Baumstark, Luca Todesco, and Bruno Keith targeted Safari with a kernel elevation. They demonstrated a complete system compromise, but it was only a partial win since Apple supposedly already knew of one of the bugs used in the demo. They still netted $45,000.
In total, participants were awarded $240,000 on day one of Pwn2Own. Day two of the contest is currently underway. All exploits discovered during the contest are reported to the necessary companies like Apple so they can be patched.
Safari in the iOS 12.2 beta and Safari 12.1 for macOS High Sierra and Mojave includes an updated version of Intelligent Tracking Prevention, according to details shared on Apple's WebKit blog.
ITP 2.1, as Apple is calling it, caps client-side cookie storage to seven days. After this time period, cookies expire. As outlined by Apple, this offers improvements in privacy, security, and performance. From Apple's WebKit blog:
- Cross-site trackers have started using first-party sites' own cookie jars for the purpose of persistent tracking. The first-party storage space is especially troublesome for privacy since all tracker scripts in the first-party context can read and write each other's data. Say social.example writes a user tracking ID as a news.example first-party cookie. Now analytics.example, adnetwork.example, and video.example can leverage or cross pollinate that user tracking ID through their scripts on news.example.
- Cookies available in document.cookie can be stolen by speculative execution attacks on memory. Therefore, they should not carry sensitive information such as credentials.
- Cookies available in document.cookie can be stolen by cross-site scripting attacks. Again, therefore, they should not carry sensitive information such as credentials.
- The proliferation of cookies slows down page and resource loads since cookies are added to every applicable HTTP request. Additionally, many cookies have high entropy values which means they cannot be compressed efficiently. We come across sites with kilobytes of cookies sent in every resource request.
- There is a size limit on outgoing cookie headers for performance reasons, and websites risk hitting this limit when cross-site trackers add first-party cookies. We've investigated reports of news site subscribers getting spuriously logged out, and found that trackers were adding so many cookies that the news site's legitimate login cookie got pushed out.
The cookie storage limits will not log users out as long as websites are using the appropriate authentication cookies because it only affects cookies created through document.cookie.
ITP 2.1 also allows for just a single set of cookies per site rather than multiples, and third party tools with cross-site tracking capabilities need to use the Storage Access API to get cookie access.
Apple says this change simplifies cookie behavior for developers, lowers the memory footprint of Safari, and makes Intelligent Tracking Prevention compatible with more platforms.
A verified partitioned cache for cutting down on cache abuse for tracking purposes is also included, and as we covered earlier this month, support for Do Not Track has been disabled.
Apple says that it is removing Do Not Track because most websites never paid any attention to it since it was opt-in and could be ignored.
The DNT project recently ended without the publication of a standard, in part "because there has not been sufficient deployment of these extensions (as defined) to justify further advancement." Given the lack of deployment of DNT and Safari's on by default privacy protections such as ITP, Safari removed support for DNT so that users are not presented with a misleading and ineffective privacy control that, if anything, only offered additional browser fingerprinting entropy.
Additional details on the Intelligent Tracking Prevention updates being introduced are available via Apple's full WebKit blog post.
In the release notes for Safari 12.1, the new version of Apple's browser installed in iOS 12.2, Apple says that it is removing support for the "Do Not Track" feature, which is now outdated.
From the release notes: "Removed support for the expired Do Not Track standard to prevent potential use as a fingerprinting variable."
Do Not Track is no longer an option in iOS 12.2, as seen in iOS 12.2 screenshot on left. iOS 12.1.3 screenshot on right.
The same feature was also removed from Safari Technology Preview today, Apple's experimental macOS browser, and it is not present in the macOS 10.14.4 betas. According to Apple, Do Not Track is "expired" and support is being eliminated to prevent its use as, ironically, a fingerprinting variable for tracking purposes.
"Do Not Track" is an outdated feature that was added to Safari quite a long time ago, first showing up in OS X Lion in 2011. Proposed by the FTC, "Do Not Track" is a preference that is sent by a user's browser to various websites requesting that advertising companies not use tracking methods.
It is entirely up to the advertising companies to comply with the "Do Not Track" messaging, and it has no actual function beyond broadcasting a user preference. All it does is say something to the effect of "hey, I prefer not to be tracked for targeted advertisements," which websites, advertisers, and analytics companies are free to ignore.
In the settings for Safari in iOS 12.2, Apple is no longer listing "Do Not Track" as a setting that can be toggled off or on, and in the Safari Preview browser, "Ask websites not to track me" is no longer listed as an option.
To replace Do Not Track, Apple has been implementing much more stringent Intelligent Tracking Prevention options, which do actually have a tangible effect and prevent the tracking methods that many advertisers and analytics sites use to detect your cross-site internet browsing.
The upcoming software update also introduces a new Motion & Orientation Access toggle under Settings > Safari > Privacy & Security. Toggled off by default, this new setting must be turned on in order for websites to display features that rely on motion data from the gyroscope and accelerometer in the iPhone, iPad, and iPod touch.
To test this, we loaded the What Web Can Do Today website on an iPhone running the first beta of iOS 12.2. With the Motion & Orientation Access setting toggled on, the page shows real-time accelerometer and gyroscope data from the iPhone. With the setting toggled off, no motion data is shown.
Another example is Apple's motion-based iPhone experience site. This page normally allows you to tilt your actual iPhone to swivel the iPhone XS Max on the screen with tech specs. With Motion & Orientation Access toggled off, however, only a static image of the iPhone XS Max is shown without tech specs.
This privacy-focused change could be in response to a WIRED report last year that claimed thousands of websites have unmitigated access to motion, orientation, proximity, and light sensor data on mobile devices.
As noted by Digiday, the setting could have implications for AR/VR advertising:
For example, Samsung's "Samsung Within" web-based interactive experience, developed by R/GA to promote the hardware brand's legacy and its Galaxy Note 9 phone, uses the accelerometer to let people explore the night sky.
"It's definitely going to break things," said Kai Tier, executive technology director at R/GA.
These AR/VR experiences may have to rely on fallback versions that people can navigate with swipe gestures instead, but this largely defeats the purpose of motion-based, interactive campaigns.
It's quite possible Apple could tweak how this feature works in time for the public release of iOS 12.2. Perhaps the setting will be toggled on by default in a subsequent beta, for example, or Safari could prompt users for permission to access motion data when necessary as it does with location data.
Apple this week released iTunes 12.8.1 for OS X Yosemite up to macOS High Sierra. The minor update resolves an issue that prevented iTunes from streaming media to third-party AirPlay speakers, and contains other minor improvements.
However, anyone running OS X Yosemite 10.10.5 specifically should avoid updating to iTunes 12.8.1 for now, as users across the MacRumors Forums, Twitter, Reddit, and Stack Exchange report that the update somehow breaks Safari 10.1.2, the latest version of the browser for OS X Yosemite.
After updating to iTunes 12.8.1, some users have encountered the following error message when opening Safari on OS X Yosemite:
Safari cannot be opened because of a problem.
Check with the developer to make sure Safari works with this version of Mac OS X. You may have to reinstall the application. Be sure to sure to install any available updates for the application and Mac OS X.
One user on Stack Exchange believes that the iTunes 12.8.1 update may update /System/Library/PrivateFrameworks/MobileDevice.framework to a version incompatible with Safari 10.1.2, but the cause is not entirely clear. We've flagged the issue with Apple and asked if and when a fix will be available.
In the meantime, workarounds include using an alternative browser such as Firefox or upgrading to a newer macOS version — of course, those still using OS X Yosemite likely don't want to or can't upgrade. Updating to iTunes 12.9 is not possible on OS X Yosemite, as that version is only compatible with macOS Mojave.
We'll update this article when a fix is available.
There are several ways to search the web in Apple's Safari browser. In this article, we're going to highlight a way of searching specific websites using a lesser-known Safari feature called Quick Website Search. The option is designed to work with sites that have a built-in search field, like the one you can find at the top of the main page at MacRumors.com. Here's how it works.
Let's say you want to look up articles on MacRumors that mention device benchmarks. You might do this by typing "macrumors benchmarks" into Safari's address bar to get results from whichever search engine the browser is configured to use. If you're a bit more search savvy, you might even type "site: macrumors.com benchmarks" to limit the search to MacRumors. But ideally you'd just navigate to MacRumors.com and use the search field provided at the top of the page.
If you take the latter option and Quick Website Search is enabled, Safari will remember that you've used the MacRumors search field and offer to use it again in future searches that include the website's name. For example, if you typed "macrumors" followed by "deals" directly into Safari's address bar, you could tap the option Search macrumors.com for "deals" in the suggestions box, as shown above, and you'd get instant results from MacRumors' own on-site search function.
How to Enable Quick Website Search in iOS
The functionality of Quick Website Search depends on how a given site implements its search field, but we've found that it works with most popular websites that offer them, so it's worth making sure you have the feature enabled. To do this on iPhone and iPad, launch the Settings app, tap Safari -> Quick Website Search and slide the Quick Website Search toggle to the green ON position.
Notice on this screen that you can also tap Edit to remove websites from the list of shortcuts that Safari automatically adds to whenever you use a site-specific search field.
How to Enable Quick Website Search on Mac
The feature works the same way in Safari for macOS. To see if it's enabled, select Safari -> Preferences... from the menu bar, choose the Search tab, and make sure the checkbox is ticked next to Enable Quick Website Search.
Lastly, if you click the Manage Websites... button next to the checkbox, you can view Safari's list of website shortcuts, remove individual websites, or clear the list completely.