2.2.2.2 Ensure 'Accept cookies' is set to 'From websites I visit' or 'From current website only'

Information

This recommendation pertains to the automatic acceptance of third-party cookies.

Rationale:

Accepting cookies may allow web servers to interact with other cookies already in place. For example, the HEIST cookie exploit allows for retrieving data from cookies stored on a device. Cookies often follow poor coding practices and include authentication properties. Limiting acceptance of cookies to only those from sites intentionally visited reduces the likelihood of a potential exploit.

Solution

Open Apple Configurator.

Open the Configuration Profile.

In the left window pane, click on the Restrictions tab.

In the right window pane, under the tab Apps, set the Accept cookies menu to From websites I visit or From current website only.

Deploy the Configuration Profile.

Additional Information:

From websites I visit accepts cookies from the current domain and any domain you've visited. From current website only only accepts cookies from the current domain.

See Also

https://workbench.cisecurity.org/benchmarks/6168

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-10, 800-53|CM-11, 800-53|SC-18, CSCv7|7.2

Plugin: MDM

Control ID: f09e9bfd043c9bd36377cf7f3924db2081a0bc8c62111ddc5af6ac611f5315a5