No same site = None cookies for iOS18

Actual title (emphasis mine):<p>&gt; <i>iOS 18 does not allow a</i> client application <i>to specify SameSite=None</i><p>That’s quite a different thing from the present submitted title, “No same site = None cookies for iOS18”, which would suggest SameSite=None was being blocked altogether.<p>Glancing through, it reads more like “when SameSite default was changed from None to Lax [which everyone else did four years ago, if I recall correctly], there was a bug because the default was actually assumed in one other place that we missed, so that setting SameSite to None in a particular way didn’t work, and this pull request fixes that”. Simple bug, nothing to see here. But I’m not in Apple’s ecosystem, don’t trust my two-minute glance to be accurate and please correct me when I’m wrong.

From a user perspective, isn&#x27;t it an improvement of privacy of iOS users?<p>The bug report referenced in this issue is the case of invasive tracking (basically enterprise spyware) breaking in iOS18 <a href="https:&#x2F;&#x2F;bugs.webkit.org&#x2F;show_bug.cgi?id=279153" rel="nofollow">https:&#x2F;&#x2F;bugs.webkit.org&#x2F;show_bug.cgi?id=279153</a><p>Normal web usage is not affected.<p>```<p>- WebKit is honoring the cookie&#x27;s SameSite=None attribute when the cookie is set by server in this case the IdP<p>- Attempts to set this attribute from the client side (from the app interacting with the iOS cookie store) have been unsuccessful. For example, by setting `.sameSitePolicy = &quot;none&quot;`<p>- Safari Web Inspector shows the option to set the cookie&#x27;s SameSite attribute to None, it however, does not get honored either, and is immediately reverted.<p>```

Does anyone have more context? Is this part of the general effort to not use third party cookies[1] or is this something more ios specific?<p>[1]: <a href="https:&#x2F;&#x2F;developer.mozilla.org&#x2F;en-US&#x2F;blog&#x2F;goodbye-third-party-cookies&#x2F;" rel="nofollow">https:&#x2F;&#x2F;developer.mozilla.org&#x2F;en-US&#x2F;blog&#x2F;goodbye-third-party...</a>

Oh boy i&#x27;m getting headaches again about SSO flows. How comes web development was easier back in 2005 than in 2024?

My experience with SameSite equal None was to move it to Lax. Why? Because when a link in an email client is clicked and opens a site, the cookies are not sent.<p>For example, you sign up to a website (A). You get a verify email sent to your inbox. You open your inbox (site B) and click the link. The link opens (A) but you&#x27;re not logged in automatically upon verification, you get logged out because the cookie wasn&#x27;t sent (since you&#x27;re coming from B).<p>It was quite disruptive to basic flows.