LGTM for a deprecation trial from M120 to M132. For those of you who
have followed my career (all 2 of you), it shouldn't come as a surprise
that I appreciate the desire and efforts to minimize the compat
implications for sites that are earnestly moving towards this brave new
post-3rd-party cookies world.
(Note: I don't work on third-party cookie deprecation but I would have
landed on a similarly recommended timeline for migration/deprecation.
Thanks for being accommodating and realistic to the complicated demands
of web development and deployment of different use-cases.)
On 11/17/23 1:21 PM, Ben Kelly wrote:
Contact emails
johann...@chromium.org, wanderv...@chromium.org
Explainer
None
Specification
https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-12#name-the-cookie-header-field
<https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-12#name-the-cookie-header-field>
Summary
We intend to deprecate and remove default access to third-party (aka
cross-site) cookies as part of the Privacy Sandbox Timeline for the
Web, starting with an initial 1% testing period in Q1 2024, followed
by a gradual phaseout planned to begin in Q3 2024 after consultation
with the CMA. (The gradual phaseout is subject to addressing any
remaining competition concerns of the UK’s Competition and Markets
Authority.)
Phasing out third-party cookies (3PCs) is a central effort to the
Privacy Sandbox initiative, which aims to responsibly reduce
cross-site tracking on the web (and beyond) while supporting key use
cases through new technologies. Our phaseout plan was developed with
the UK's Competition and Markets Authority, in line with the
commitments we offered for Privacy Sandbox for the web.
To support this effort we would like to run a deprecation trial for
third-party embedded content. Qualified third-parties participating
in the trial can supply a token via an iframe or third-party script in
order to continue receiving third-party cookies on requests to that
origin.
Goals for experimentation
The primary goal of the deprecation trial is to reduce the amount of
broken user-visible experiences as third-party cookies are phased
out. Third-party embedded content or services with these kinds of
experiences can use the trial to continue to receive third-party
cookies while they work on long term solutions for their users based
on CHIPS, Storage Access API, Related Website Sets, FedCM, etc.
To meet this goal, requests to register for the deprecation trial will
be reviewed to confirm eligibility. Specifically, third-party
providers will need to demonstrate functional breakage in user
journeys to be eligible. Because the deprecation trial is not intended
to support cross-site tracking for advertising purposes, third-party
embeds and services used for advertising will not be eligible. The
ineligibility of advertising use cases will also help to ensure the
deprecation trial does not interfere with the industry testing planned
for the start of 2024 as described by the CMA
<https://www.gov.uk/cma-cases/investigation-into-googles-privacy-sandbox-browser-changes#industry-testing>.
Experiment timeline
Registration opens the week of November 27, 2023.
The trial will end on December 27, 2024.
Effective in Chrome versions M120 through M132
Blink component
Internals>Network>Cookies
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ECookies>
Search tags
3pcd <https://chromestatus.com/features#tags:3pcd>
TAG review
None
TAG review status
Not applicable
Risks
Interoperability and Compatibility
Web Compatibility:
Despite 3PCs already being blocked in Firefox and Safari and
developer outreach efforts to raise awareness and encourage
developers to prepare for the deprecation, we currently
estimate that a non-trivial number of sites are still relying
on third-party cookies for some user-facing functionality. See
Intent to Deprecate and Remove for more
information:https://groups.google.com/a/chromium.org/g/blink-dev/c/RG0oLYQ0f2I/m/xMSdsEAzBwAJ
<https://groups.google.com/a/chromium.org/g/blink-dev/c/RG0oLYQ0f2I/m/xMSdsEAzBwAJ>
Interoperability:
Both Firefox and Safari have removed default access to third-party
cookies already, though there are small differences in how browsers
treat SameSite=None cookies in so called “ABA” scenarios (site A
embeds site B, which embeds site A again). Chrome ships the more
secure and more restrictive variant, and from initial conversations we
are optimistic that other browsers will adopt it as well. There are
also subtle differences in how browsers restore access to third-party
cookies through mechanisms such as heuristics or custom quirks. Where
Chrome implements similar measures (such as the heuristics), we try to
follow the launch and standards processes to achieve as much interop
as we can, given other requirements such as privacy and security.
Gecko: Shipped/Shipping
WebKit: Shipped/Shipping
Web developers: Mixed signals
(https://privacysandbox.com/news/privacy-sandbox-for-the-web-reaches-general-availability/#:~:text=The%20Benefits%20of%20Collaboration
<https://privacysandbox.com/news/privacy-sandbox-for-the-web-reaches-general-availability/#:~:text=The%20Benefits%20of%20Collaboration>)
As one of the most impactful changes to the web platform in a long
time, the deprecation of 3rd party cookies and the introduction of
alternative APIs have received a lot of helpful feedback from web
developers to an extent impossible to summarize in a few sentences. As
described in the summary, the Privacy Sandbox wants to ensure that a
vibrant, freely accessible web can exist even as we roll out strong
user protections and we will continue to work with web developers to
understand their use cases and ship the right (privacy-enhancing)
APIs. And we’ve received feedback that gives us confidence that we’re
on the right track.
Other signals:
Activation
Impact on the Ads ecosystem:
A suite of APIs for delivering relevant ads, measuring ad performance,
and preventing fraud and abuse are now generally available in Chrome
to continue to facilitate ad-supported content on the web. We continue
to work closely with the UK Competition and Markets Authority (CMA) on
evaluating the impact of this change on the ads ecosystem.
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such
that it has potentially high risk for Android WebView-based applications?
None
Ongoing technical constraints
None
Debuggability
Developers may use the command-line testing switch
--test-third-party-cookie-phaseout (available starting Chrome 115) or
enable chrome://flags#test-third-party-cookie-phaseout (available
starting Chrome 117), to simulate browser behavior with default access
to third-party cookies removed. We also started reporting DevTools
issues for cookies impacted by the deprecation starting in Chrome 117
to help identify potentially impacted workflows. We are continuing to
improve our developer documentation on debugging third-party cookies
usage, and guidance on migration to new APIs.
https://developer.chrome.com/blog/cookie-countdown-2023oct/
<https://developer.chrome.com/blog/cookie-countdown-2023oct/>
Will this feature be supported on all six Blink platforms
(Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
No
Third-Party Cookies will be deprecated on Windows, Mac, Linux, Chrome
OS, Android. The deprecation will not affect Android WebView for the
time being, where 3PCs are already blocked by default, but can be
re-enabled by the embedding application.
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
Yes
Yes. We have put together a set of WPTs which cover third-party cookie
blocking for subresource requests. It is not yet comprehensive, we are
working on adding additional tests to support our standardization efforts.
https://wpt.fyi/results/cookies/third-party-cookies/third-party-cookies.tentative.https.html?label=experimental&label=master&aligned
<https://wpt.fyi/results/cookies/third-party-cookies/third-party-cookies.tentative.https.html?label=experimental&label=master&aligned>
Flag name on chrome://flags
test-third-party-cookie-phaseout
Finch feature name
None
Non-finch justification
None
Requires code in //chrome?
False
Launch bug
https://launch.corp.google.com/4276016
<https://launch.corp.google.com/4276016>
Estimated milestones
DevTrial on desktop
117
DevTrial on Android
117
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5133113939722240
<https://chromestatus.com/feature/5133113939722240>
Links to previous Intent discussions
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK7rkMgacVy4YDA4T6z72mEPfwGst3O1_GbB8jF_W5kBwPyAXA%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK7rkMgacVy4YDA4T6z72mEPfwGst3O1_GbB8jF_W5kBwPyAXA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/dd559b59-c3c1-47f0-9161-5dade7619bbb%40chromium.org.
