[blink-dev] PSA: Third-Party Cookie Allowlist Header Explainer

[Ari Chivukula]

Contact Emails

ari...@chromium.org, alex...@google.com, a...@google.com, mike...@chromium.org

Explainer

https://explainers-by-googlers.github.io/third-party-cookie-allowlist-header/

Summary

Today, websites have limited control over third-party origins storing/reading cookies. This includes, but is not limited to, circumstances where third parties are compromised (such as when an imported script abuses access to perform disallowed actions) or layered (such as, an advertising service that has content served by another party). This may raise trust issues that are not technically verifiable, for example in the case of compliance with local data protection and privacy laws.

We propose two new headers, which together allow parent frames to enforce third-party cookie restrictions and child frames to actively consent or passively reject selective enforcement.

These headers will never grant access to third-party cookies where it would otherwise have been denied, they will only deny access where it would otherwise have been granted. Browser and origin-specific settings related to third-party cookie blocking will take precedence.