No - Safari 14 Does Not Block Google Analytics

This article aims to subdue the rumors that Safari 14 will block Google Analytics (and other similar libraries) by default. It will not.

Let me start by proclaiming with clarity and sincerity:

No, Safari 14 (or any other version of Safari) will not block Google Analytics from loading and running on a website.

In the midst of Apple’s yearly Worldwide Developers Conference, the company showcased some of the privacy improvements to the upcoming version of the Safari web browser (version 14).

In fact, the biggest revelation was the new Privacy Report, which is designed to elucidate how much the browser is working towards mitigating the damage caused by cross-site trackers.

For better or for worse, one of the previews showed that google-analytics.com is listed among the trackers that are being prevented on websites.

Queue panic and the spread of misinformation like wildfire through the dry brush of first-party analytics.

Apple Insider was quick to report on this, going so far as to say that “…the browser now completely blocks Google Analytics…”.

Search Engine Journal picked the story up too, saying that “…Apple specifically shows Google Analytics being blocked by Safari”.

NOTE! Search Engine Journal has added a footnote that they might have got the story wrong.

Myth debunked

Safari does not block resource loads. That’s not how Intelligent Tracking Prevention(ITP) works. It’s more elegant than that.

That’s John Wilander, the WebKit engineer in charge of ITP saying that “ITP has not started to block resource loads, but ITP does so much more than just block cookies”.

Early on, Maciek Stanasiuk tested whether hits are actually blocked, and found the opposite.

Similarly, Tom Anthony contributed to the research.

When Safari says it blocks or prevents a tracker, what it means is that the ITP algorithm has flagged some domain as having cross-site tracking capabilities, and Safari has, among other things, stripped it of its capabilities to carry cookies in cross-site requests, also known as third-party cookies.

THIS is what Safari means when it’s prevented a known tracker in google-analytics.com. That domain has been flagged as a cross-site tracking domain, and Safari assigns certain protective measures to any communications to and from that domain (you can read more about them here).

Just to prove the point, here’s my site with google-analytics.com AND googletagmanager.com flagged as tracking domains, while still merrily loading the JavaScript libraries and sending the HTTP requests to their designated endpoints:

How does the Privacy Report work

Intelligent Tracking Prevention flags domains as being potential tracking domains if it detects requests being sent to them by the browser from a sufficient number of unique domains.

If your Safari browser sends a request to google-analytics.com from domain1.com, domain2.com, and domain3.com, Safari will flag google-analytics.com as having cross-site tracking capabilities.

ITP does this to hundreds upon hundreds of domains for any regular Safari user. It’s been doing this since its introduction in 2017. This is how Safari slowly closes the noose around cross-site trackers.

The Privacy Report has been designed to shed light on this process. However, instead of listing ALL the domains flagged by ITP, the domains are cross-referenced against DuckDuckGo’s tracker lists. If a match is found, the domain is surfaced in the Privacy Report to showcase how ITP is blocking known trackers from reading your data.

Does it matter that google-analytics.com is prevented as a tracker?

Not really. The fact that google-analytics.com has its ability to leverage third-party storage neutered means nothing to how the tool is actually used.

Google Analytics is a first-party analytics platform.

It’s downloaded from Google’s servers as a JavaScript library, any identifiers are stored in first-party cookies, and any HTTP requests to the GA endpoint use these identifiers and these identifiers alone to specify the source of the tracker. No third-party storage access is being used with the requests to google-analytics.com.

That doesn’t mean there might not be cookies set on google-analytics.com. I would imagine there are some that are used for debugging and monitoring purposes, for example. These cookies would not work on Safari or any other browser that targets google-analytics.com as a tracking domain.

Final thoughts

I’m disappointed in many things right now.

I’m disappointed in how this bit of misinformation spread so fast, and how reputable journals took a grainy screenshot and a couple of influencer tweets and jumped to conclusions that were quoted over and over again in social media.

I’m disappointed that the Privacy Report has such clumsy wording. To use terms like block, prevent, and tracker can lead to confusion, as the aftermath of WWDC showed, unless they are clearly defined in the report itself. I know it’s not the final version of the Privacy Report yet, so hopefully the copy will be clarified.

I’m disappointed it took the whole day to install Big Sur (macOS beta) on an external drive just to test something I already knew was true. And yes, I’m disappointed I didn’t have enough disk space available to install Big Sur on a proper hard disk partition.

I’m not disappointed in the Privacy Report or Intelligent Tracking Prevention. Both are doing an amazing job at protecting Safari users from something that can have a devastating impact if mishandled.

ITP will keep on evolving and morphing to adjust to the cross-site tracking crowd.

But for now, Google Analytics users don’t need to worry about Safari. Google Analytics does not require cross-site tracking capabilities, and Safari does not block its use. Naturally, it does limit how effective it is, but that’s another story.

Huge thanks to folks like Maciec Stanasiuk, Tom Anthony, and Charles Farina for working against the rumor mill.