Blog

Safari Intelligent Tracking Prevention: third-party contexts, CORS, and cookie lifetimes

ITP caps storage and cookies for cross-site use; credentialed CORS calls may silently lose cookies even with correct headers.

Published: 2026-07-26Updated: 2026-07-281 min read

safaricookiescors

Partitioned storage

Cookies may be partitioned per top-level site; your API must not assume a stable third-party jar.

Storage Access API flows require user gestures—plan UX accordingly.

RUM beacons to third-party analytics domains face separate cookie rules from your API CORS surface.

Correlate Safari version strings when debugging mysterious 401s after OS upgrades.