Cookies Settings Observations

At the risk of being accused of turning this into a “Safari Support Forum,” I would like to make some observations about Safari’s new cookie settings. This is not intended as feedback to the Safari team or product, which I will file separately, but rather is intended to address some conversation we had on this point at the last f2f meeting (initiated by Mark, I believe). I’ve been trying to use the Web with Safari with cookie settings set to “Allow from current site only,” and I have encountered many difficulties. Most of these have been in the context of OAuth sessions (for example when trying to “sign in with github” or “sign in with Facebook.”) In these cases, setting cookie settings back to “Allow from websites I visit” usually remedies the situation. In addition, I’ve had issues with sites (such as most recently run by UK Government) that hand you off to a 3rd party payment processor (in this case Worldpay) as part of executing a translation (I have also filed this as a bug).

My observation is that many production web sites rely on the presence and functionality of third party cookies. And when these do not function (for example if the cookie settings in Safari are set to “Allow from current site only”) the behavior of these sites is to fail silently (e.g. in an oauth session you are redirected back to the calling site and aren’t signed in but left with no indication why not) or fail with a cryptic message (e.g. you get github’s “something went wrong” page but again have specific indication that this may have something to do with cookies).

Dan