> Why is "cookies can't be used in 3rd-party context" not turned on from day 0?

It's been the long-standing default of Safari to block 3rd-party cookies. As is described in the excellent post this links to, there is some functionality that 3rd-party cookies enable that can be beneficial. They use single-sign-on as an example.

Single-sign on can be implemented without third-party cookies using only redirects. That is how OpenId and OAuth work.

But social network widgets (Like buttons, comment form) would break without third-party cookies.

If I understand correctly, "Single sign-on" means that when you sign in at one site, you're automatically signed in at others. Like when you sign in to Gmail, you get logged in on YouTube without any extra clicks.

OAuth is typically a user-initiated action, like "Sign in with GitHub" or "Sign in with your domain" (https://indieweb.org/IndieAuthProtocol).

Though I think SSO should be possible with OAuth — maybe with a hidden iframe that does the auth process, or something with CORS requests… Or maybe a custom redirect-based protocol would be better.

OAuth can be modified so that it would not require any user action. When user visits a site, he gets redirected to the authorisation domain that checks whether the user is logged in and makes a redirect back to the original site, adding authorisation result to URL.

I guess it is because of some legacy sites that would break. Cross-domain interaction rules are very complicated and poorly designed. For example there is no CSRF protection on the browser side and every developer has to implement it on the server side.

Some of the things that would break without third-party cookies are social network widgets - you would be unable to like some post or add a comment using Facebook login on a third-party site.

It would be nice if all new HTML5 features and APIs release from now on turns on 'Modern Web Security Mode', which fixes CSRF and a bunch of other security issues that are not backwards compatible.