2.2.2.2 Ensure 'Accept cookies' is set to 'From websites I visit' or 'From current website only'

Information

This recommendation pertains to the acceptance of third-party cookies.

Rationale:

The HEIST cookie exploit allows for retrieving data from cookies stored on a device. Cookies often follow poor coding practices and often include authentication properties. Limiting acceptance of cookies to only those from sites intentionally visited reduces the likelihood of exploit.

Solution

1. Open Apple Configurator.
2. Open the Configuration Profile.
3. In the left windowpane, click on the 'Restrictions' tab.
4. In the right windowpane, under the tab 'Apps', set the 'Accept cookies' menu to 'From websites I visit' or 'From current website only'.
5. Deploy the Configuration Profile.

Impact:

None.

See Also

https://workbench.cisecurity.org/files/1688