Safari ITP: partitioned cookies, Storage Access API, and CORS credentialed requests that still fail

iCloud Private Relay changes egress IPs—IP allowlists in CORS-unrelated backends are not sufficient for abuse prevention.

CAPTCHA flows may open cross-site iframes—test CORS on embedded challenge domains.

Home-screen web apps may behave like first-party—verify CORS on push notification endpoints separately.

Service worker update checks can fail CORS silently—monitor registration errors in analytics.