Safari ITP Third-Party Cookie Blocked — What It Means & How to Fix It
About Safari ITP Third-Party Cookie Blocked
Fix Safari Intelligent Tracking Prevention blocking third-party cookies and breaking login flows, analytics, and embedded content. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: Safari's Intelligent Tracking Prevention (ITP) aggressively blocks third-party cookies and cross-site tracking. ITP affects login flows that rely on cookies from identity providers hosted on different domains. First-party cookies set via JavaScript (document.cookie) are limited to 7 days of expiry. ITP 2.3+ blocks all third-party cookies by default, which was later adopted by other browsers. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Third-party authentication service (Auth0, Firebase Auth) cookies blocked by ITP. Analytics scripts (Google Analytics, Mixpanel) unable to set or read tracking cookies. Embedded iframes from different domains cannot access their cookies. JavaScript-set first-party cookies expiring after 7 days forcing re-authentication. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Use the Storage Access API: document.requestStorageAccess() to request cookie access in iframes. Move authentication to first-party: use your own domain for auth endpoints instead of third-party domains. Set cookies server-side via Set-Cookie headers instead of JavaScript — server-set cookies are not limited to 7 days. For analytics, use first-party proxy endpoints that forward data to the analytics provider. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Browser Errors collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
Can users disable ITP?
On macOS: Safari > Settings > Privacy > uncheck 'Prevent cross-site tracking.' On iOS: Settings > Safari > disable 'Prevent Cross-Site Tracking.' However, developers should not rely on users changing this setting.
Overview
Fix Safari Intelligent Tracking Prevention blocking third-party cookies and breaking login flows, analytics, and embedded content.
Key Details
- Safari's Intelligent Tracking Prevention (ITP) aggressively blocks third-party cookies and cross-site tracking
- ITP affects login flows that rely on cookies from identity providers hosted on different domains
- First-party cookies set via JavaScript (document.cookie) are limited to 7 days of expiry
- ITP 2.3+ blocks all third-party cookies by default, which was later adopted by other browsers
Common Causes
- Third-party authentication service (Auth0, Firebase Auth) cookies blocked by ITP
- Analytics scripts (Google Analytics, Mixpanel) unable to set or read tracking cookies
- Embedded iframes from different domains cannot access their cookies
- JavaScript-set first-party cookies expiring after 7 days forcing re-authentication
Steps
- 1Use the Storage Access API: document.requestStorageAccess() to request cookie access in iframes
- 2Move authentication to first-party: use your own domain for auth endpoints instead of third-party domains
- 3Set cookies server-side via Set-Cookie headers instead of JavaScript — server-set cookies are not limited to 7 days
- 4For analytics, use first-party proxy endpoints that forward data to the analytics provider