ITP 2.1, which Apple calls it, packs the client side into storage for seven days. After this time period cookies expire. As described by Apple, this offers improvements in privacy, security and performance. From Apple's WebKit Blog:
– Tracking across the site has begun to use the first-party site's own cookie cups for sustained tracking. The first-party repository is particularly troublesome for privacy, since all tracking scripts in the context of the first-party can read and write each other's data. Say social.example writes a user tracking ID as a news.example first-party cookie. Now analytics.example, adnetwork.example and video.example can exploit or cross pollinate it uses tracking ID through their scripts on news.example.
̵1; Cookies available in document.cookie may be stolen by speculative execution attacks on memory . Therefore, they should not carry sensitive information such as identification.
– Cookies available in document.cookie may be stolen by cross-site scripting attacks . Again, therefore, they should not carry sensitive information such as identification.
– Spread of cookies reduces the page and resource load since cookies are added to each current HTTP request. In addition, many cookies have high entropy values, which means they cannot be effectively compressed. We come across websites with kilobytes of cookies sent in each resource request.
– There is a size limit for outgoing cookie headings for reasons of performance, and sites run the risk of hitting this limit when cross-site trackers add first-party cakes. We have investigated that reports from news site subscribers are falsely logged out and found that tracking traces were adding so many cookies that the news center's legitimate login creation was pushed out.
The cookie storage limits will not log users out as long as websites use the correct authentication cookies because it only affects cookies created through document.cookie.
ITP 2.1 also allows only one set of cookies per. Website instead of multiples, and third-party tracking features across the web site must use the storage access API to get cookie information.
Apple says this change simplifies developer cookies, lowers memory footprints of Safari, and makes Intelligent Tracking Prevention compatible with multiple platforms.
A verified partitioned cache to cut down on cache abuse for tracking purposes is also included, and as we covered earlier this month, support for Not tracks has not been disabled.
Apple says it doesn't remove track because most sites have never noticed it since it was login and could be ignored.
The DNT project recently terminated without publishing a standard, in part "because there has not been sufficient deployment of these extensions (as defined) to justify further progress." Given the lack of deployment of DNT and Safari by default, privacy protection as ITP, removed Safari support for DNT, so that users are not presented with a misleading and ineffective privacy check which, if any, only offered additional fingerprint escapism to the browser.
Further details on the updated intelligent tracking prevention updates are available through Apple's full WebKit blog post.