Well, paint me red and call me a girl scout: Facebook, Google, and several other advertising networks are using a loophole to make sure third party cookies could still be installed on Safari and Mobile Safari, even though those two browsers technically shouldn’t allow such cookies. Google has already ceased the practice, and in fact, closed the loophole in WebKit itself months ago.
It’s a bit of a weird story, mostly because the Wall Street Journal story that launched all this has been dumbed down so much it’s barely readable. Basically, Safari and Mobile Safari have been designed to only accept cookies from sites users explicitly navigate to; in other words, cookies from other sources shouldn’t be able to find their way onto users’ machines.
However, there’s a workaround for this which has been implemented by Facebook, Google, and other advertising networks. It’s part of how the Like and +1 buttons work, for instance. The workaround consists of automatically submitting a vestigial form in an iframe, which Safari will then treat as if it comes from a first party domain.
The crazy thing here is that this loophole has already been fixed in WebKit itself. Over 7 months ago. By two Google engineers. In other words, while Google is one of the parties using the loophole, Google itself fixed it 7 months ago. The Wall Street Journal contacted Google about this, and Google immediately ceased using the loophole, claiming it was unintential (sure, Google, sure).
“The Journal mischaracterizes what happened and why,” Google said in a statement to the WSJ, “We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.”
Several other advertising networks also use the loophole, with the reasoning being that since other browsers allow third party cookies, Safari has to be worked around to create a consistent experience. Facebook goes a step further, and openly advocates the loophole on a corporate “Best Practices” Facebook page.
In case the point hasn’t been driven home yet – companies need to be monitored at all times. This was clearly intentional, and circumvents restrictions Apple has put in place to protect the privacy of its users. It doesn’t matter whether it’s Google and Facebook circumventing privacy restrictions, or Microsoft and Apple taking away ownership of our computers – this stuff needs to be questioned, challenged, and monitored at all times.
If we don’t, we could end up in a world of hurt.