It’s been a while since we’ve had WebKit-related browser privacy news, but the most recent one is gutsy and somewhat surprising. Based on a recent commit to the WebKit project, Safari (and likely iOS/iPadOS browsers) will apply the 7-day expiration cap for first-party cookies to HTTP responses set from “third-party” IP addresses. In other words, if the first half of the IP address of the response differs from the first half of the IP address of the resource the user is navigating, WebKit will apply these cookie expiration constraints. This means that popular “CNAME cloaking” workarounds such as setting cookies from a cloud service (that runs server-side GTM) hosted on a subdomain will no longer prevent cookies from being prematurely expired on WebKit browsers. This is an interesting move because WK is somewhat redefining what “third-party” means, and it certainly is at odds with expectations of web services running SSO flows, for example. But it’s also clear that so much of ad tech has moved to these types of schemes in efforts to protect their precious cookies from being degraded. So, yes, babies are being thrown out with the bath water but this isn’t that drastic when considering WebKit’s overall goals as established in their Tracking Prevention policy. https://lnkd.in/dsZwDEf5 EDIT: This has been released in the latest Safari Technology Preview (157) but there’s no timeline when it will land in the stable release.
Jason Packer
1y
Since it only applies to cases where there's no CNAME returned, if we added our own CNAMEs on the server-side GTM GCP instances we'd avoid this issue, wouldn't we? Seems like a big assumption on WK's part, GCP and AWS run IPs from totally different ranges out of the same data center all the time.
Indeed, somewhat understandable seen all the adtech "workarounds", unfortunatily also potentially impacting "legit" stuff or interfering with user experience. One possible solution leveraging CDN capabilities... https://stacktonic.com/article/how-to-set-a-persistent-uuid-cookie-using-cloud-front-and-lamda-edge
David Solito
1y
Hey Simo, In the case of your subdomain is an A (or AAAA) entry in your zone but where the ip address differ (because different servers), is the behaviour the same?
Lars Friis
1y
Hi Simo. Do you know when this will be live? I can’t find a date ?
Michael Cleverly kan vi det?
Sean Bedford
1y
The game of cat and mouse continues! Larger businesses with resources will just route everything via a load balancer or use CDN, small businesses without expertise will experience another nail in the coffin to advertising effectively…
Roy Smith
1y
The degree to which AdTech is willing to climb even further out on the thin and cracking limb of cookie tracking is stunning. It's a bit like an addict who ends up looking in drawers and pants pockets for any small crumb of whatever they crave.
Daniel Ford
1y
Frustrating but perhaps not so surprising after all
Would a CDN for both root and subdomain solve this?
Rock-solid data for all your tools and use cases, quality guaranteed
1yYou can use a CDN like Cloudflare, either for both main domain and subdomain, or you use a route on your main domain for tracking requests. It’s a cat and mouse game, but if browsers can’t distinguish tracking requests from application requests, you should be safe.