Intent to Extend Experiment: Origin Trial for Third Party Cookie Deprecation
Joshua Hood
Contact emails
joha...@chromium.org, wande...@chromium.orgExplainer
NoneSpecification
https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-12#name-the-cookie-header-fieldSummary
Chrome intends to deprecate and remove default access to third-party (aka cross-site) cookies, starting with the 1% testing period [1] that began in Q1 2024, followed by a gradual phaseout planned to ramp up from Q1 2025, subject to addressing any remaining competition concerns of the UK’s Competition and Markets Authority. Third-party cookie phaseout [2] is a central effort of the Privacy Sandbox [3] initiative, which aims to responsibly reduce cross-site tracking on the web (and beyond) while supporting key use cases through new technologies. [1] https://developers.google.com/privacy-sandbox/blog/cookie-countdown-2024jan [2] http://goo.gle/3pcd [3] https://developers.google.com/privacy-sandbox
Blink component
Internals>Network>CookiesSearch tags
3pcdTAG review
NoneTAG review status
Not applicableOrigin Trial Name
Third Party Cookie Deprecation Trial for Top Level SitesChromium Trial Name
Tpcd1pLink to origin trial feedback summary
https://github.com/GoogleChromeLabs/privacy-sandbox-dev-support/issues/new/chooseOrigin Trial documentation link
https://bit.ly/cookie-deprecation-trialWebFeature UseCounter name
kThirdPartyCookieDeprecation_AllowBy3PCDOrigin Trial Name
Limit Third Party CookiesChromium Trial Name
LimitThirdPartyCookiesOrigin Trial documentation link
https://developers.google.com/privacy-sandbox/3pcd/prepare/debugWebFeature UseCounter name
kOBSOLETE_PageDestructionOrigin Trial Name
Third Party Cookie Deprecation TrialChromium Trial Name
TpcdOrigin Trial documentation link
https://developer.chrome.com/blog/third-party-cookie-deprecation-trialWebFeature UseCounter name
kThirdPartyCookieDeprecation_AllowBy3PCDOrigin Trial Name
Third Party Cookie Deprecation for Top Level SitesChromium Trial Name
TopLevelTpcdOrigin Trial documentation link
https://goo.gle/cookie-deprecation-trialRisks
Interoperability and Compatibility
Web Compatibility: Despite 3PCs already being blocked in Firefox and Safari and developer outreach efforts to raise awareness and encourage developers to prepare for the deprecation, we currently estimate that a non-trivial number of sites are still relying on third-party cookies for some user-facing functionality. See Intent to Deprecate and Remove for more information: https://groups.google.com/a/chromium.org/g/blink-dev/c/RG0oLYQ0f2I/m/xMSdsEAzBwAJ Interoperability: Both Firefox and Safari have removed default access to third-party cookies already, though there are small differences in how browsers treat SameSite=None cookies in so called “ABA” scenarios (site A embeds site B, which embeds site A again). Chrome ships the more secure and more restrictive variant, and from initial conversations we are optimistic that other browsers will adopt it as well. There are also subtle differences in how browsers restore access to third-party cookies through mechanisms such as heuristics or custom quirks. Where Chrome implements similar measures (such as the heuristics), we try to follow the launch and standards processes to achieve as much interop as we can, given other requirements such as privacy and security.
Gecko: Shipped/Shipping
WebKit: Shipped/Shipping
Web developers: Mixed signals (https://privacysandbox.com/news/privacy-sandbox-for-the-web-reaches-general-availability/#:~:text=The%20Benefits%20of%20Collaboration) As one of the most impactful changes to the web platform in a long time, the deprecation of 3rd party cookies and the introduction of alternative APIs have received a lot of helpful feedback from web developers to an extent impossible to summarize in a few sentences. As described in the summary, the Privacy Sandbox wants to ensure that a vibrant, freely accessible web can exist even as we roll out strong user protections and we will continue to work with web developers to understand their use cases and ship the right (privacy-preserving) APIs. And we’ve received feedback that gives us confidence that we’re on the right track.
Other signals:
Activation
Impact on the Ads ecosystem: A suite of APIs for delivering relevant ads, measuring ad performance, and preventing fraud and abuse are now generally available in Chrome to continue to facilitate ad-supported content on the web. We continue to work closely with the UK Competition and Markets Authority (CMA) on evaluating the impact of this change on the ads ecosystem.
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Goals for experimentation
Reason this experiment is being extended
We request to extend the origin trial to M133 to give sites more time to test with third-party cookies restricted. Recently, we announced a new path focused on elevating user choice, instead of third-party cookie deprecation. We will continue to support and invest in the Privacy Sandbox technologies. While we can't predict what exact user preferences will be, it’s important for businesses and developers to prepare for a likely increase in Chrome browsers without support for third-party cookies, and to continue investing in privacy-enhancing technologies. This change in path necessitates a departure from our initially planned timeline. Extending this trial is necessary to continue allowing businesses and developers to perform broader testing of alternatives to third-party cookies ahead of any increase in Chrome browsers without support for third-party cookies, and to continue providing valuable real-world feedback on those alternatives.
Ongoing technical constraints
None.
Debuggability
Developers may use the command-line testing switch --test-third-party-cookie-phaseout (available starting Chrome 115) or enable chrome://flags#test-third-party-cookie-phaseout (available starting Chrome 117), to simulate browser behavior with default access to third-party cookies removed. We also started reporting DevTools issues for cookies impacted by the deprecation starting in Chrome 117 to help identify potentially impacted workflows. We are continuing to improve our developer documentation on debugging third-party cookies usage, and guidance on migration to new APIs. https://developer.chrome.com/blog/cookie-countdown-2023oct/
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
NoThird-Party Cookies will be deprecated on Windows, Mac, Linux, Chrome OS, Android. The deprecation will not affect Android WebView for the time being, where 3PCs are already blocked by default, but can be re-enabled by the embedding application.
Is this feature fully tested by web-platform-tests?
YesYes. We have put together a set of WPTs which cover third-party cookie blocking for subresource requests. It is not yet comprehensive, we are working on adding additional tests to support our standardization efforts. https://wpt.fyi/results/cookies/third-party-cookies/third-party-cookies.tentative.https.html?label=experimental&label=master&aligned
Flag name on about://flags
test-third-party-cookie-phaseoutFinch feature name
NoneNon-finch justification
NoneRequires code in //chrome?
FalseLaunch bug
https://launch.corp.google.com/4276016Estimated milestones
| Origin trial desktop first | 120 |
| Origin trial desktop last | 132 |
| Origin trial desktop first | 127 |
| Origin trial desktop last | 130 |
| Origin trial desktop first | 120 |
| Origin trial desktop last | 132 |
| Origin trial desktop first | 120 |
| Origin trial extension 1 end milestone | 133 |
| DevTrial on desktop | 117 |
| Origin trial Android first | 127 |
| Origin trial Android last | 130 |
| DevTrial on Android | 117 |
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5133113939722240?gate=6218696161492992Links to previous Intent discussions
Intent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/yGUdvW_t_y0/m/DafsVzHFAQAJIntent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/3B5dIm_XXLE/m/DZ2cYzm9AQAJ
Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK7rkMgacVy4YDA4T6z72mEPfwGst3O1_GbB8jF_W5kBwPyAXA%40mail.gmail.com
Intent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/yGUdvW_t_y0/m/DafsVzHFAQAJ
Intent to Ship: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD_OO4ikogMJZce42o-QcGUMDNiM2Lr_6BGAfP8Gzktakc5_fw%40mail.gmail.com
Johann Hofmann
Reason this experiment is being extended
We request to extend the origin trial to M133 to give sites more time to test with third-party cookies restricted. Recently, we announced a new path focused on elevating user choice, instead of third-party cookie deprecation. We will continue to support and invest in the Privacy Sandbox technologies. While we can't predict what exact user preferences will be, it’s important for businesses and developers to prepare for a likely increase in Chrome browsers without support for third-party cookies, and to continue investing in privacy-enhancing technologies. This change in path necessitates a departure from our initially planned timeline. Extending this trial is necessary to continue allowing businesses and developers to perform broader testing of alternatives to third-party cookies ahead of any increase in Chrome browsers without support for third-party cookies, and to continue providing valuable real-world feedback on those alternatives.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAp0QgdadRC7Cm9pdVUJ36mEqPuFCw8mDKnLxA9A%2B4wz9a4Jqw%40mail.gmail.com.
Mike Taylor
(I checked w/ the team offline to confirm that's the intent)
Mike Taylor
record:
LGTM to extend from 131 to 133 inclusive.