Contact emails johann...@chromium.org, wanderv...@chromium.org
Explainer None Specification https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-12#name-the-cookie-header-field Summary We intend to deprecate and remove default access to third-party (aka cross-site) cookies as part of the Privacy Sandbox Timeline for the Web, starting with an initial 1% testing period in Q1 2024, followed by a gradual phaseout planned to begin in Q3 2024 after consultation with the CMA. (The gradual phaseout is subject to addressing any remaining competition concerns of the UK’s Competition and Markets Authority.) Phasing out third-party cookies (3PCs) is a central effort to the Privacy Sandbox initiative, which aims to responsibly reduce cross-site tracking on the web (and beyond) while supporting key use cases through new technologies. Our phaseout plan was developed with the UK's Competition and Markets Authority, in line with the commitments we offered for Privacy Sandbox for the web. To support this effort we would like to run a deprecation trial for third-party embedded content. Qualified third-parties participating in the trial can supply a token via an iframe or third-party script in order to continue receiving third-party cookies on requests to that origin. Goals for experimentation The primary goal of the deprecation trial is to reduce the amount of broken user-visible experiences as third-party cookies are phased out. Third-party embedded content or services with these kinds of experiences can use the trial to continue to receive third-party cookies while they work on long term solutions for their users based on CHIPS, Storage Access API, Related Website Sets, FedCM, etc. To meet this goal, requests to register for the deprecation trial will be reviewed to confirm eligibility. Specifically, third-party providers will need to demonstrate functional breakage in user journeys to be eligible. Because the deprecation trial is not intended to support cross-site tracking for advertising purposes, third-party embeds and services used for advertising will not be eligible. The ineligibility of advertising use cases will also help to ensure the deprecation trial does not interfere with the industry testing planned for the start of 2024 as described by the CMA <https://www.gov.uk/cma-cases/investigation-into-googles-privacy-sandbox-browser-changes#industry-testing> . Experiment timeline Registration opens the week of November 27, 2023. The trial will end on December 27, 2024. Effective in Chrome versions M120 through M132 Blink component Internals>Network>Cookies <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ECookies> Search tags 3pcd <https://chromestatus.com/features#tags:3pcd> TAG review None TAG review status Not applicable Risks Interoperability and Compatibility Web Compatibility: Despite 3PCs already being blocked in Firefox and Safari and developer outreach efforts to raise awareness and encourage developers to prepare for the deprecation, we currently estimate that a non-trivial number of sites are still relying on third-party cookies for some user-facing functionality. See Intent to Deprecate and Remove for more information: https://groups.google.com/a/chromium.org/g/blink-dev/c/RG0oLYQ0f2I/m/xMSdsEAzBwAJ Interoperability: Both Firefox and Safari have removed default access to third-party cookies already, though there are small differences in how browsers treat SameSite=None cookies in so called “ABA” scenarios (site A embeds site B, which embeds site A again). Chrome ships the more secure and more restrictive variant, and from initial conversations we are optimistic that other browsers will adopt it as well. There are also subtle differences in how browsers restore access to third-party cookies through mechanisms such as heuristics or custom quirks. Where Chrome implements similar measures (such as the heuristics), we try to follow the launch and standards processes to achieve as much interop as we can, given other requirements such as privacy and security. Gecko: Shipped/Shipping WebKit: Shipped/Shipping Web developers: Mixed signals ( https://privacysandbox.com/news/privacy-sandbox-for-the-web-reaches-general-availability/#:~:text=The%20Benefits%20of%20Collaboration) As one of the most impactful changes to the web platform in a long time, the deprecation of 3rd party cookies and the introduction of alternative APIs have received a lot of helpful feedback from web developers to an extent impossible to summarize in a few sentences. As described in the summary, the Privacy Sandbox wants to ensure that a vibrant, freely accessible web can exist even as we roll out strong user protections and we will continue to work with web developers to understand their use cases and ship the right (privacy-enhancing) APIs. And we’ve received feedback that gives us confidence that we’re on the right track. Other signals: Activation Impact on the Ads ecosystem: A suite of APIs for delivering relevant ads, measuring ad performance, and preventing fraud and abuse are now generally available in Chrome to continue to facilitate ad-supported content on the web. We continue to work closely with the UK Competition and Markets Authority (CMA) on evaluating the impact of this change on the ads ecosystem. WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Ongoing technical constraints None Debuggability Developers may use the command-line testing switch --test-third-party-cookie-phaseout (available starting Chrome 115) or enable chrome://flags#test-third-party-cookie-phaseout (available starting Chrome 117), to simulate browser behavior with default access to third-party cookies removed. We also started reporting DevTools issues for cookies impacted by the deprecation starting in Chrome 117 to help identify potentially impacted workflows. We are continuing to improve our developer documentation on debugging third-party cookies usage, and guidance on migration to new APIs. https://developer.chrome.com/blog/cookie-countdown-2023oct/ Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? No Third-Party Cookies will be deprecated on Windows, Mac, Linux, Chrome OS, Android. The deprecation will not affect Android WebView for the time being, where 3PCs are already blocked by default, but can be re-enabled by the embedding application. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? Yes Yes. We have put together a set of WPTs which cover third-party cookie blocking for subresource requests. It is not yet comprehensive, we are working on adding additional tests to support our standardization efforts. https://wpt.fyi/results/cookies/third-party-cookies/third-party-cookies.tentative.https.html?label=experimental&label=master&aligned Flag name on chrome://flags test-third-party-cookie-phaseout Finch feature name None Non-finch justification None Requires code in //chrome? False Launch bug https://launch.corp.google.com/4276016 Estimated milestones DevTrial on desktop 117 DevTrial on Android 117 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5133113939722240 Links to previous Intent discussions -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK7rkMgacVy4YDA4T6z72mEPfwGst3O1_GbB8jF_W5kBwPyAXA%40mail.gmail.com.
