- WebKit is honoring the cookie's SameSite=None attribute when the cookie is set by server in this case the IdP
- Attempts to set this attribute from the client side (from the app interacting with the iOS cookie store) have been unsuccessful. For example, by setting `.sameSitePolicy = "none"`
- Safari Web Inspector shows the option to set the cookie's SameSite attribute to None, it however, does not get honored either, and is immediately reverted.
Single sign on works just fine without third-party cookies.
You forward the user to the SSO system with some URL parameters, the SSO system checks the first-party cookies (as the SSO system's domain is shown in the URL bar), then the SSO system forwards the user back to you with some different URL parameters. It can also be done with a popup login window, in many cases.
After all, what if the SSO system needed to ask for the user's password? Your users should know better than to enter their password on a third party's domain - so you need the forwarding mechanism for SSO login anyway.
Schools can use MDM profiles to track or restrict navigation.
Not only would you _not_ want to do it at this level or by setting cookies from a technical perspective, it wouldn’t work well as soon as a user goes to different app.
> Bear in mind that "invasive tracking" is also used for protection of the vulnerable.
If we're going to go down the "think of the children" path, I'd argue invasive tracking is used far more often for persecuting the vulnerable. But anyway, if you want an ultra locked-down machine for schools running Apple devices, use MDM, Santa or whatever else, and network filtering like everyone else.
I'm getting very tired of the idea that we need to bend to ad agencies and absurd government abuse in the supposed name of protecting the innocent. It's suffocating for everyone.
Some people online are strange and scary no doubt; I know that better than anyone. But kids will be kids, and they'll do dangerous things without you knowing; people go home and talk to strangers on Discord or whatever else all day and no amount of browser fingerprinting is going to change that.
Maybe I am the crazy one, though, I don't know. But I only learned to program because I wasn't caged up; I couldn't have been older than six years old or so when my friend introduced me to this MMO, RuneScape, which I became obsessed with. And like all dumb kids, I eventually tried to look for cheats, of course, there were none, but I stumbled upon some reverse engineering forums where people were collaborating and trying to build their own server emulators for the game. It was interesting, so I stuck around, and it incrementally forced me to learn just about everything I could really need -- from software to things like "oh gosh, we've suddenly got players, but now we're getting slammed by some dude's botnet; I am twelve and BlackLotus wants $500 a month for a server with any sort of DDoS mitigation, so we need to figure out how to deal with this on our own".
I had good times, and I had many terrifying times, but at the end of the day, my life would be entirely different if I grew up sheltered and shackled to an iPad with no way to truly investigate the things that interested me. I'm very glad I stole my mom's PowerBook to stay up all night in the vBulletin shoutbox with people no sane person would normally want their child hanging around.
The bug report referenced in this issue is the case of invasive tracking (basically enterprise spyware) breaking in iOS18 https://bugs.webkit.org/show_bug.cgi?id=279153
Normal web usage is not affected.
```
- WebKit is honoring the cookie's SameSite=None attribute when the cookie is set by server in this case the IdP
- Attempts to set this attribute from the client side (from the app interacting with the iOS cookie store) have been unsuccessful. For example, by setting `.sameSitePolicy = "none"`
- Safari Web Inspector shows the option to set the cookie's SameSite attribute to None, it however, does not get honored either, and is immediately reverted.
```