This morning's Implementation status change to *Deprecated* results in Deprecate Third-Party Cookies <https://chromestatus.com/feature/5133113939722240> (Deprecated)
Did you intend to also rename the feature to "Third-Party Cookies?" Thanks On Monday, November 13, 2023 at 4:20:47 AM UTC-6 yoav...@chromium.org wrote: > LGTM1 > > I cannot imagine a more thorough and thoughtful approach than the one the > Privacy Sandbox team has taken to tackle this significant change to the > web's privacy model while minimizing breakage and providing replacement > APIs. Thanks for pushing this important work through!! > > On Mon, Nov 13, 2023 at 10:31 AM Johann Hofmann <joha...@chromium.org> > wrote: > >> Contact emails >> >> joha...@chromium.org, wande...@chromium.org, dylan...@chromium.org, >> kaust...@chromium.org, jka...@chromium.org, john...@chromium.org >> >> Explainer >> >> For general information on Privacy Sandbox for the Web and Google’s plans >> to phase out third-party cookies, see >> https://privacysandbox.com/open-web/. >> >> For additional information on the planned semantics of third-party cookie >> blocking and its interaction with the SameSite cookie attribute, see >> https://github.com/DCtheTall/standardizing-cross-site-cookie-semantics >> >> Specification >> >> The Cookies RFC contains some language >> <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-12#name-the-cookie-header-field> >> >> that, in theory, allows user agents to block third-party cookies, leaving a >> lot of details unspecified. We are not happy with this status quo and are >> collaborating with other browsers on a significant spec refactoring effort >> called cookie layering >> <https://github.com/httpwg/http-extensions/issues/2084> to give >> Fetch/HTML more responsibility over specifying how and when cookies are >> stored and attached, as well as a WebAppSec Note based on our existing >> explainer >> <https://github.com/DCtheTall/standardizing-cross-site-cookie-semantics> >> that describes how cookie blocking interacts with SameSite cookies. >> >> Summary >> >> We intend to deprecate and remove default access to third-party (aka >> cross-site) cookies as part of the Privacy Sandbox Timeline for the Web >> <https://privacysandbox.com/open-web/#the-privacy-sandbox-timeline>, >> starting with an initial 1% testing period in Q1 2024 >> <https://developer.chrome.com/docs/privacy-sandbox/chrome-testing/>, >> followed by a gradual phaseout planned to begin in Q3 2024 after >> consultation >> with the CMA >> <https://www.gov.uk/cma-cases/investigation-into-googles-privacy-sandbox-browser-changes> >> >> (The gradual phaseout is subject to addressing any remaining competition >> concerns of the UK’s Competition and Markets Authority.) >> >> Phasing out third-party cookies (3PCs) is a central effort to the Privacy >> Sandbox initiative, which aims to responsibly reduce cross-site tracking on >> the web (and beyond) while supporting key use cases through new >> technologies. Our phaseout plan was developed with the UK's Competition and >> Markets Authority, in line with the commitments >> <https://blog.google/around-the-globe/google-europe/path-forward-privacy-sandbox/> >> >> we offered for Privacy Sandbox for the web. >> >> Blink component >> >> Internals>Network>Cookies >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ECookies> >> >> Motivation >> >> Our goal on the Privacy Sandbox is to reduce cross-site tracking while >> still enabling the functionality that keeps online content and services >> freely accessible by everyone. Deprecating and removing third-party cookies >> encapsulates the challenge, as they enable critical functionality across >> sign-in, fraud protection, advertising, and generally the ability to embed >> rich, third-party content in websites—but at the same time they're also a >> key enabler of cross-site tracking. >> >> Initial public proposal >> >> N/A >> >> TAG review >> >> The TAG has explicitly endorsed >> <https://w3ctag.github.io/web-without-3p-cookies/#why-restrict-third-party-cookies> >> >> (n.b. as a draft document) the deprecation of third-party cookies in the >> past. Additionally, we requested feedback on our proposal to define the >> 3PC security semantics >> <https://github.com/w3ctag/design-reviews/issues/904> and received >> generally positive feedback. >> >> TAG review status >> >> Tentatively Positive, see above >> >> Risks >> Compatibility >> >> Impact on the Ads ecosystem: >> >> A suite of APIs for delivering relevant ads, measuring ad performance, >> and preventing fraud and abuse are now generally available in Chrome to >> continue to facilitate ad-supported content on the web. We continue to work >> closely with the UK Competition and Markets Authority (CMA) on evaluating >> the impact of this change on the ads ecosystem. >> >> Web Compatibility: >> >> Despite 3PCs already being blocked in Firefox and Safari and developer >> outreach efforts to raise awareness and encourage developers to prepare for >> the deprecation, we currently estimate that a non-trivial number of sites >> are still relying on third-party cookies for some user-facing >> functionality. To address this breakage, we have developed a two-pronged >> strategy: >> >> >> 1. >> >> Breakage Discovery & Outreach >> >> Through various efforts, such as UKM-based signal analysis, scaled manual >> testing and dogfooding, we are collecting a list of impacted use cases. >> These individual breakage cases inform our mitigation strategy (see next >> step) and future API improvements, as well as our ongoing developer >> outreach efforts. >> >> We also offer developers the ability to report 3PC breakage to the Chrome >> team via goo.gle/report-3pc-broken or ask general questions at >> https://github.com/GoogleChromeLabs/privacy-sandbox-dev-support/issues. >> >> >> 1. >> >> Temporary Breakage Mitigation >> >> It will take time for developers to replace their usage of 3PCs with new >> APIs or different approaches, and some developers may not be aware of this >> deprecation until they discover breakage. In order to reduce the impact of >> such breakage on the web, we have implemented a series of temporary >> mitigations: >> >> >> - >> >> Exemption Heuristics >> >> <https://github.com/amaliev/3pcd-exemption-heuristics/blob/main/explainer.md>: >> >> We are planning to ship heuristics mirroring those that already ship in >> Firefox and Safari, and are also working with both browsers on a >> coordinated removal process. Additional details can be found & should be >> discussed in the I2P >> >> <https://groups.google.com/a/chromium.org/g/blink-dev/c/Eeh2pE0DRaE/m/1BJyBlCUAAAJ> >> >> & upcoming I2S. >> >> >> >> - >> >> Deprecation Trial: >> >> <https://developer.chrome.com/blog/cookie-countdown-2023oct/#request-additional-time-with-the-third-party-deprecation-trial-for-non-advertising-use-cases> >> >> This will be outlined in more detail in the upcoming Request for >> Deprecation Trial, but it’s important to note that a review step >> including >> evidence of user-facing breakage will be required for participation. >> Further, we do not intend to approve trials for ads-related use cases, to >> avoid interference with the quantitative testing. >> >> >> >> - >> >> As with other launches, we will also have a set of server-side >> controls to manage the rollout as a whole and minimize issues specific >> sites are causing for users. >> >> >> Despite all these efforts, we want to be clear that we are intentionally >> taking some risk here in the interest of user privacy. >> >> Enterprise Compatibility: >> >> To help with the transition, we intend to allow enterprise organizations >> to opt their applications out of third-party cookie blocking using the >> existing BlockThirdPartyCookies >> <https://chromeenterprise.google/policies/#BlockThirdPartyCookies> or >> CookiesAllowedForUrls >> <https://chromeenterprise.google/policies/#CookiesAllowedForUrls> >> policies. Given that enterprise systems are often gated and are therefore >> hard to analyze from an external perspective, these policies will provide >> additional time for the enterprise ecosystem to adapt. We intend to publish >> additional guidance for enterprises on https://goo.gle/3pcd-enterprise >> for the period beyond the 1% testing period. >> >> Interoperability >> >> Both Firefox and Safari have removed default access to third-party >> cookies already, though there are small differences >> <https://github.com/DCtheTall/standardizing-cross-site-cookie-semantics> >> in how browsers treat SameSite=None cookies in so called “ABA” scenarios >> (site A embeds site B, which embeds site A again). Chrome ships the more >> secure and more restrictive variant, and from initial conversations we are >> optimistic that other browsers will adopt it as well. There are also subtle >> differences in how browsers restore access to third-party cookies through >> mechanisms such as heuristics or custom quirks. Where Chrome implements >> similar measures (such as the heuristics >> <https://github.com/amaliev/3pcd-exemption-heuristics/blob/main/explainer.md>), >> >> we try to follow the launch and standards processes to achieve as much >> interop as we can, given other requirements such as privacy and security. >> >> Gecko: Shipping >> >> WebKit: Shipping >> >> Web developers: Mixed Signals >> >> As one of the most impactful changes to the web platform in a long time, >> the deprecation of 3rd party cookies and the introduction of alternative >> APIs have received a lot of helpful feedback from web developers to an >> extent impossible to summarize in a few sentences. As described in the >> summary, the Privacy Sandbox wants to ensure that a vibrant, freely >> accessible web can exist even as we roll out strong user protections and we >> will continue to work with web developers to understand their use cases and >> ship the right (privacy-preserving) APIs. And we’ve received feedback >> <https://privacysandbox.com/news/privacy-sandbox-for-the-web-reaches-general-availability/#:~:text=The%20Benefits%20of%20Collaboration> >> >> that gives us confidence that we’re on the right track. >> >> WebView application risks >> >> This deprecation will not affect WebView for now. >> >> >> Debuggability >> >> Developers may use the command-line testing switch >> --test-third-party-cookie-phaseout >> (available starting Chrome 115) or enable >> chrome://flags#test-third-party-cookie-phaseout (available starting Chrome >> 117), to simulate browser behavior with default access to third-party >> cookies removed. We also started reporting DevTools issues for cookies >> impacted by the deprecation starting in Chrome 117 to help identify >> potentially impacted workflows. We are continuing to improve our developer >> documentation >> <https://developer.chrome.com/blog/cookie-countdown-2023oct/> on >> debugging third-party cookies usage, and guidance on migration to new APIs. >> >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? >> >> Yes. We have put together a set of WPTs >> <https://wpt.fyi/results/cookies/third-party-cookies/third-party-cookies.tentative.https.html?label=experimental&label=master&aligned> >> >> which cover third-party cookie blocking for subresource requests. It is not >> yet comprehensive, we are working on adding additional tests to support our >> standardization efforts. >> >> Flag name on chrome://flags >> >> TestThirdPartyCookiePhaseout >> >> Finch feature name >> >> Due to the nature of the Chrome-facilitated testing period >> <https://developer.chrome.com/docs/privacy-sandbox/chrome-testing/>, as >> well as the general complexity of managing breakage related to removing >> third-party cookies, there won’t be a single Finch feature that takes us >> from 0% to 100% deprecated. Instead, a collection of features, supporting >> different phases and components, will be used. >> >> Non-finch justification >> >> N/A >> >> Requires code in //chrome? >> >> No, the base third-party cookie blocking functionality does not require >> Chrome code. Some custom Chrome functionality (such as the aforementioned >> facilitated testing, mitigations and user experience improvements) does >> require it. >> >> Estimated milestones >> >> Initial phase of Deprecation (1%) is planned as part of the “Chrome >> facilitated testing period” beginning in Q1 2024, as described on >> https://privacysandbox.com/open-web/#the-privacy-sandbox-timeline, >> further phaseout is planned to begin in Q3 2024. (The gradual phaseout of >> third-party cookies is subject to addressing any remaining competition >> concerns of the CMA.) >> >> >> Link to entry on the Chrome Platform Status >> >> https://chromestatus.com/feature/5133113939722240 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD_OO4ikogMJZce42o-QcGUMDNiM2Lr_6BGAfP8Gzktakc5_fw%40mail.gmail.com >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD_OO4ikogMJZce42o-QcGUMDNiM2Lr_6BGAfP8Gzktakc5_fw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/3b311834-f210-4caa-b858-8f43020c1b61n%40chromium.org.
