3.2.2.2 Ensure 'Accept cookies' is set to 'From websites I visit' or 'From current website only'

Information

This recommendation pertains to the acceptance of third-party cookies.

Rationale:

The HEIST cookie exploit allows for retrieving data from cookies stored on a device. Cookies often follow poor coding practices and often include authentication properties. Limiting acceptance of cookies to only those from sites intentionally visited reduces the likelihood of exploitation.

Solution

Open Apple Configurator.

Open the Configuration Profile.

In the left window pane, click on the Restrictions tab.

In the right window pane, under the tab Apps, set the Accept cookies menu to From websites I visit or From current website only.

Deploy the Configuration Profile.

Additional Information:

From websites I visit accepts cookies from the current domain and any other domain you've visited. From current website only only accepts cookies from the current domain.

See Also

https://workbench.cisecurity.org/benchmarks/15548