Contact emailsjohann...@chromium.org, wanderv...@chromium.org ExplainerNone
Specification https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-12#name-the-cookie-header-field Summary Chrome intends to deprecate and remove default access to third-party (aka cross-site) cookies, starting with the 1% testing period [1] that began in Q1 2024, followed by a gradual phaseout planned to ramp up from Q1 2025, subject to addressing any remaining competition concerns of the UK’s Competition and Markets Authority. Third-party cookie phaseout [2] is a central effort of the Privacy Sandbox [3] initiative, which aims to responsibly reduce cross-site tracking on the web (and beyond) while supporting key use cases through new technologies. [1] https://developers.google.com/privacy-sandbox/blog/cookie-countdown-2024jan [2] http://goo.gle/3pcd [3] https://developers.google.com/privacy-sandbox Blink componentInternals>Network>Cookies <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ECookies> Search tags3pcd <https://chromestatus.com/features#tags:3pcd> TAG reviewNone TAG review statusNot applicable Origin Trial NameThird Party Cookie Deprecation Trial for Top Level Sites Chromium Trial NameTpcd1p Link to origin trial feedback summary https://github.com/GoogleChromeLabs/privacy-sandbox-dev-support/issues/new/choose Origin Trial documentation linkhttps://bit.ly/cookie-deprecation-trial WebFeature UseCounter namekThirdPartyCookieDeprecation_AllowBy3PCD Origin Trial NameLimit Third Party Cookies Chromium Trial NameLimitThirdPartyCookies Origin Trial documentation link https://developers.google.com/privacy-sandbox/3pcd/prepare/debug WebFeature UseCounter namekOBSOLETE_PageDestruction Origin Trial NameThird Party Cookie Deprecation Trial Chromium Trial NameTpcd Origin Trial documentation link https://developer.chrome.com/blog/third-party-cookie-deprecation-trial WebFeature UseCounter namekThirdPartyCookieDeprecation_AllowBy3PCD Origin Trial NameThird Party Cookie Deprecation for Top Level Sites Chromium Trial NameTopLevelTpcd Origin Trial documentation linkhttps://goo.gle/cookie-deprecation-trial Risks Interoperability and Compatibility Web Compatibility: Despite 3PCs already being blocked in Firefox and Safari and developer outreach efforts to raise awareness and encourage developers to prepare for the deprecation, we currently estimate that a non-trivial number of sites are still relying on third-party cookies for some user-facing functionality. See Intent to Deprecate and Remove for more information: https://groups.google.com/a/chromium.org/g/blink-dev/c/RG0oLYQ0f2I/m/xMSdsEAzBwAJ Interoperability: Both Firefox and Safari have removed default access to third-party cookies already, though there are small differences in how browsers treat SameSite=None cookies in so called “ABA” scenarios (site A embeds site B, which embeds site A again). Chrome ships the more secure and more restrictive variant, and from initial conversations we are optimistic that other browsers will adopt it as well. There are also subtle differences in how browsers restore access to third-party cookies through mechanisms such as heuristics or custom quirks. Where Chrome implements similar measures (such as the heuristics), we try to follow the launch and standards processes to achieve as much interop as we can, given other requirements such as privacy and security. *Gecko*: Shipped/Shipping *WebKit*: Shipped/Shipping *Web developers*: Mixed signals ( https://privacysandbox.com/news/privacy-sandbox-for-the-web-reaches-general-availability/#:~:text=The%20Benefits%20of%20Collaboration) As one of the most impactful changes to the web platform in a long time, the deprecation of 3rd party cookies and the introduction of alternative APIs have received a lot of helpful feedback from web developers to an extent impossible to summarize in a few sentences. As described in the summary, the Privacy Sandbox wants to ensure that a vibrant, freely accessible web can exist even as we roll out strong user protections and we will continue to work with web developers to understand their use cases and ship the right (privacy-preserving) APIs. And we’ve received feedback that gives us confidence that we’re on the right track. *Other signals*: Activation Impact on the Ads ecosystem: A suite of APIs for delivering relevant ads, measuring ad performance, and preventing fraud and abuse are now generally available in Chrome to continue to facilitate ad-supported content on the web. We continue to work closely with the UK Competition and Markets Authority (CMA) on evaluating the impact of this change on the ads ecosystem. WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Goals for experimentation Reason this experiment is being extended We request to extend the origin trial to M133 to give sites more time to test with third-party cookies restricted. Recently, we announced a new path focused on elevating user choice, instead of third-party cookie deprecation. We will continue to support and invest in the Privacy Sandbox technologies. While we can't predict what exact user preferences will be, it’s important for businesses and developers to prepare for a likely increase in Chrome browsers without support for third-party cookies, and to continue investing in privacy-enhancing technologies. This change in path necessitates a departure from our initially planned timeline. Extending this trial is necessary to continue allowing businesses and developers to perform broader testing of alternatives to third-party cookies ahead of any increase in Chrome browsers without support for third-party cookies, and to continue providing valuable real-world feedback on those alternatives. Ongoing technical constraints None. Debuggability Developers may use the command-line testing switch --test-third-party-cookie-phaseout (available starting Chrome 115) or enable chrome://flags#test-third-party-cookie-phaseout (available starting Chrome 117), to simulate browser behavior with default access to third-party cookies removed. We also started reporting DevTools issues for cookies impacted by the deprecation starting in Chrome 117 to help identify potentially impacted workflows. We are continuing to improve our developer documentation on debugging third-party cookies usage, and guidance on migration to new APIs. https://developer.chrome.com/blog/cookie-countdown-2023oct/ Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?No Third-Party Cookies will be deprecated on Windows, Mac, Linux, Chrome OS, Android. The deprecation will not affect Android WebView for the time being, where 3PCs are already blocked by default, but can be re-enabled by the embedding application. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?Yes Yes. We have put together a set of WPTs which cover third-party cookie blocking for subresource requests. It is not yet comprehensive, we are working on adding additional tests to support our standardization efforts. https://wpt.fyi/results/cookies/third-party-cookies/third-party-cookies.tentative.https.html?label=experimental&label=master&aligned Flag name on about://flagstest-third-party-cookie-phaseout Finch feature nameNone Non-finch justificationNone Requires code in //chrome?False Launch bughttps://launch.corp.google.com/4276016 Estimated milestones Origin trial desktop first 120 Origin trial desktop last 132 Origin trial desktop first 127 Origin trial desktop last 130 Origin trial desktop first 120 Origin trial desktop last 132 Origin trial desktop first 120 Origin trial extension 1 end milestone 133 DevTrial on desktop 117 Origin trial Android first 127 Origin trial Android last 130 DevTrial on Android 117 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5133113939722240?gate=6218696161492992 Links to previous Intent discussionsIntent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/yGUdvW_t_y0/m/DafsVzHFAQAJ Intent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/3B5dIm_XXLE/m/DZ2cYzm9AQAJ Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK7rkMgacVy4YDA4T6z72mEPfwGst3O1_GbB8jF_W5kBwPyAXA%40mail.gmail.com Intent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/yGUdvW_t_y0/m/DafsVzHFAQAJ Intent to Ship: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD_OO4ikogMJZce42o-QcGUMDNiM2Lr_6BGAfP8Gzktakc5_fw%40mail.gmail.com This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAp0QgdadRC7Cm9pdVUJ36mEqPuFCw8mDKnLxA9A%2B4wz9a4Jqw%40mail.gmail.com.
