Intent to Extend Experiment: Origin Trial for Third Party Cookie Deprecation

319 views
Skip to first unread message

Joshua Hood

unread,
Nov 18, 2024, 5:01:39 PM11/18/24
to blink-dev

Contact emails

joha...@chromium.orgwande...@chromium.org

Explainer

None

Specification

https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-12#name-the-cookie-header-field

Summary

Chrome intends to deprecate and remove default access to third-party (aka cross-site) cookies, starting with the 1% testing period [1] that began in Q1 2024, followed by a gradual phaseout planned to ramp up from Q1 2025, subject to addressing any remaining competition concerns of the UK’s Competition and Markets Authority. Third-party cookie phaseout [2] is a central effort of the Privacy Sandbox [3] initiative, which aims to responsibly reduce cross-site tracking on the web (and beyond) while supporting key use cases through new technologies. [1] https://developers.google.com/privacy-sandbox/blog/cookie-countdown-2024jan [2] http://goo.gle/3pcd [3] https://developers.google.com/privacy-sandbox



Blink component

Internals>Network>Cookies

Search tags

3pcd

TAG review

None

TAG review status

Not applicable

Origin Trial Name

Third Party Cookie Deprecation Trial for Top Level Sites

Chromium Trial Name

Tpcd1p

Link to origin trial feedback summary

https://github.com/GoogleChromeLabs/privacy-sandbox-dev-support/issues/new/choose

Origin Trial documentation link

https://bit.ly/cookie-deprecation-trial

WebFeature UseCounter name

kThirdPartyCookieDeprecation_AllowBy3PCD

Origin Trial Name

Limit Third Party Cookies

Chromium Trial Name

LimitThirdPartyCookies

Origin Trial documentation link

https://developers.google.com/privacy-sandbox/3pcd/prepare/debug

WebFeature UseCounter name

kOBSOLETE_PageDestruction

Origin Trial Name

Third Party Cookie Deprecation Trial

Chromium Trial Name

Tpcd

Origin Trial documentation link

https://developer.chrome.com/blog/third-party-cookie-deprecation-trial

WebFeature UseCounter name

kThirdPartyCookieDeprecation_AllowBy3PCD

Origin Trial Name

Third Party Cookie Deprecation for Top Level Sites

Chromium Trial Name

TopLevelTpcd

Origin Trial documentation link

https://goo.gle/cookie-deprecation-trial

Risks



Interoperability and Compatibility

Web Compatibility: Despite 3PCs already being blocked in Firefox and Safari and developer outreach efforts to raise awareness and encourage developers to prepare for the deprecation, we currently estimate that a non-trivial number of sites are still relying on third-party cookies for some user-facing functionality. See Intent to Deprecate and Remove for more information: https://groups.google.com/a/chromium.org/g/blink-dev/c/RG0oLYQ0f2I/m/xMSdsEAzBwAJ Interoperability: Both Firefox and Safari have removed default access to third-party cookies already, though there are small differences in how browsers treat SameSite=None cookies in so called “ABA” scenarios (site A embeds site B, which embeds site A again). Chrome ships the more secure and more restrictive variant, and from initial conversations we are optimistic that other browsers will adopt it as well. There are also subtle differences in how browsers restore access to third-party cookies through mechanisms such as heuristics or custom quirks. Where Chrome implements similar measures (such as the heuristics), we try to follow the launch and standards processes to achieve as much interop as we can, given other requirements such as privacy and security.



Gecko: Shipped/Shipping

WebKit: Shipped/Shipping

Web developers: Mixed signals (https://privacysandbox.com/news/privacy-sandbox-for-the-web-reaches-general-availability/#:~:text=The%20Benefits%20of%20Collaboration) As one of the most impactful changes to the web platform in a long time, the deprecation of 3rd party cookies and the introduction of alternative APIs have received a lot of helpful feedback from web developers to an extent impossible to summarize in a few sentences. As described in the summary, the Privacy Sandbox wants to ensure that a vibrant, freely accessible web can exist even as we roll out strong user protections and we will continue to work with web developers to understand their use cases and ship the right (privacy-preserving) APIs. And we’ve received feedback that gives us confidence that we’re on the right track.

Other signals:

Activation

Impact on the Ads ecosystem: A suite of APIs for delivering relevant ads, measuring ad performance, and preventing fraud and abuse are now generally available in Chrome to continue to facilitate ad-supported content on the web. We continue to work closely with the UK Competition and Markets Authority (CMA) on evaluating the impact of this change on the ads ecosystem.



WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Goals for experimentation



Reason this experiment is being extended

We request to extend the origin trial to M133 to give sites more time to test with third-party cookies restricted. Recently, we announced a new path focused on elevating user choice, instead of third-party cookie deprecation. We will continue to support and invest in the Privacy Sandbox technologies. While we can't predict what exact user preferences will be, it’s important for businesses and developers to prepare for a likely increase in Chrome browsers without support for third-party cookies, and to continue investing in privacy-enhancing technologies. This change in path necessitates a departure from our initially planned timeline. Extending this trial is necessary to continue allowing businesses and developers to perform broader testing of alternatives to third-party cookies ahead of any increase in Chrome browsers without support for third-party cookies, and to continue providing valuable real-world feedback on those alternatives.



Ongoing technical constraints

None.



Debuggability

Developers may use the command-line testing switch --test-third-party-cookie-phaseout (available starting Chrome 115) or enable chrome://flags#test-third-party-cookie-phaseout (available starting Chrome 117), to simulate browser behavior with default access to third-party cookies removed. We also started reporting DevTools issues for cookies impacted by the deprecation starting in Chrome 117 to help identify potentially impacted workflows. We are continuing to improve our developer documentation on debugging third-party cookies usage, and guidance on migration to new APIs. https://developer.chrome.com/blog/cookie-countdown-2023oct/



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

No

Third-Party Cookies will be deprecated on Windows, Mac, Linux, Chrome OS, Android. The deprecation will not affect Android WebView for the time being, where 3PCs are already blocked by default, but can be re-enabled by the embedding application.



Is this feature fully tested by web-platform-tests?

Yes

Yes. We have put together a set of WPTs which cover third-party cookie blocking for subresource requests. It is not yet comprehensive, we are working on adding additional tests to support our standardization efforts. https://wpt.fyi/results/cookies/third-party-cookies/third-party-cookies.tentative.https.html?label=experimental&label=master&aligned



Flag name on about://flags

test-third-party-cookie-phaseout

Finch feature name

None

Non-finch justification

None

Requires code in //chrome?

False

Launch bug

https://launch.corp.google.com/4276016

Estimated milestones

Origin trial desktop first120
Origin trial desktop last132
Origin trial desktop first127
Origin trial desktop last130
Origin trial desktop first120
Origin trial desktop last132
Origin trial desktop first120
Origin trial extension 1 end milestone133
DevTrial on desktop117
Origin trial Android first127
Origin trial Android last130
DevTrial on Android117


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5133113939722240?gate=6218696161492992

Links to previous Intent discussions

Intent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/yGUdvW_t_y0/m/DafsVzHFAQAJ
Intent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/3B5dIm_XXLE/m/DZ2cYzm9AQAJ
Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK7rkMgacVy4YDA4T6z72mEPfwGst3O1_GbB8jF_W5kBwPyAXA%40mail.gmail.com
Intent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/yGUdvW_t_y0/m/DafsVzHFAQAJ
Intent to Ship: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD_OO4ikogMJZce42o-QcGUMDNiM2Lr_6BGAfP8Gzktakc5_fw%40mail.gmail.com


This intent message was generated by Chrome Platform Status.

Johann Hofmann

unread,
Nov 18, 2024, 5:46:34 PM11/18/24
to Joshua Hood, blink-dev
Hi everyone, apologies, some of this email contains outdated information auto-generated from our Chromestatus page which we're going to clean up as soon as possible. Please disregard most sections of the email, the relevant bit is here:

Reason this experiment is being extended

We request to extend the origin trial to M133 to give sites more time to test with third-party cookies restricted. Recently, we announced a new path focused on elevating user choice, instead of third-party cookie deprecation. We will continue to support and invest in the Privacy Sandbox technologies. While we can't predict what exact user preferences will be, it’s important for businesses and developers to prepare for a likely increase in Chrome browsers without support for third-party cookies, and to continue investing in privacy-enhancing technologies. This change in path necessitates a departure from our initially planned timeline. Extending this trial is necessary to continue allowing businesses and developers to perform broader testing of alternatives to third-party cookies ahead of any increase in Chrome browsers without support for third-party cookies, and to continue providing valuable real-world feedback on those alternatives.


Contrary to what the above email suggests we remain committed to our recently announced new path focused on elevating user choice, instead of third-party cookie deprecation. The continuation of this Origin Trial does not affect that path.

Thanks,

Johann

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAp0QgdadRC7Cm9pdVUJ36mEqPuFCw8mDKnLxA9A%2B4wz9a4Jqw%40mail.gmail.com.

Mike Taylor

unread,
Nov 19, 2024, 5:11:06 PM11/19/24
to Johann Hofmann, Joshua Hood, blink-dev
LGTM to extend from 133 to 135 inclusive.

(I checked w/ the team offline to confirm that's the intent)

Mike Taylor

unread,
Nov 20, 2024, 9:02:45 PM11/20/24
to Joshua Hood, blink-dev, Johann Hofmann
It seems like I made a mistake on milestones, so let me correct for the
record:

LGTM to extend from 131 to 133 inclusive.
Reply all
Reply to author
Forward
0 new messages