User Profile

Greetings, I have questions regarding ITP 2.3 and CNAME subdomains. Our portal offers interoperability between multiple health care platforms through an iframe. In the current situation, all of the parties that integrate with our platform host their applications via a DNS CNAME record that is owned by our shared customer (let's say: customer.com). This means our applications also use CNAMEs. As we all share the same parent domain, I'd expect Safari to not use ITP as they should be handled like first-party cookies. ITP is blocking specific subdomains though. This is a simplified version of our current situation: portal.customer.com CNAME portal.supplierA.com app1.customer.com CNAME app.supplierA.com ✅ app2.customer.com CNAME app.supplierB.com ❌ In the above situation, application1.customer.com can be loaded in an iframe just fine (one of our own applications). However, when loading application2.customer.com in the iframe, ITP is triggered. It fails to set a session cookie even though it's a subdomain of customer.com. After disabling "Prevent cross-site tracking" it loads fine. It also works fine in Firefox with third-party blocking fully enabled (might be relevant as ITP is inspired by and derived from Mozilla’s anti tracking policy). I tried to get more information on why the cookie gets blocked, but unfortunately the ITP debug mode doesn't show any logs on why the cookie is blocked. So I'd love to know if ITP is expected to kick in for the above scenario. And if so, why? And are there any good documents on exactly when Safari handles a cookie as a third-party cookie? As well, are there any suggestions on what to do when the ITP debug mode doesn't give any informative logs? I don't receive logs in the console nor in the kernel (log stream -info | grep ITPDebug). Thanks in advance, Joris P.S. I understand that implementing the Storage Access API is the offered solution. But we currently choose this approach as we think the Storage Access API is quite disruptive UX-wise as there is no "always allow" option (yet?) and our users go to a lot of different hosts.