To reproduce: 1. Under privacy settings choose: -Allow from current website only OR Allow from websites I visit 2. Confirm third-party cookies are disabled by visiting: https://alanhogan.github.io/web-experiments/3rd/third-party-cookies.html 3. Create a page on domain1.com that embeds a <video src="http://domain2.com"> and notice that domain2.com Cookies are sent with the request. This behavior differs from both Firefox and Chrome which deny the cookies being sent. Correct behavior: domain2.com Cookies should not be sent. I've documented a real world scenario in this blogpost: https://tedpiotrowski.svbtle.com/broken-video-attachments-in-gmail My apologies if this behavior is intentional to prevent user pain/confusion.
<rdar://problem/34093740>