Request for Deprecation Trial: Deprecate Third-Party Cookies
Ben Kelly
Contact emails
joha...@chromium.org, wande...@chromium.org
Explainer
None
Specification
https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-12#name-the-cookie-header-field
Summary
We intend to deprecate and remove default access to third-party (aka cross-site) cookies as part of the Privacy Sandbox Timeline for the Web, starting with an initial 1% testing period in Q1 2024, followed by a gradual phaseout planned to begin in Q3 2024 after consultation with the CMA. (The gradual phaseout is subject to addressing any remaining competition concerns of the UK’s Competition and Markets Authority.)
Phasing out third-party cookies (3PCs) is a central effort to the Privacy Sandbox initiative, which aims to responsibly reduce cross-site tracking on the web (and beyond) while supporting key use cases through new technologies. Our phaseout plan was developed with the UK's Competition and Markets Authority, in line with the commitments we offered for Privacy Sandbox for the web.
To support this effort we would like to run a deprecation trial for third-party embedded content. Qualified third-parties participating in the trial can supply a token via an iframe or third-party script in order to continue receiving third-party cookies on requests to that origin.
Goals for experimentation
The primary goal of the deprecation trial is to reduce the amount of broken user-visible experiences as third-party cookies are phased out. Third-party embedded content or services with these kinds of experiences can use the trial to continue to receive third-party cookies while they work on long term solutions for their users based on CHIPS, Storage Access API, Related Website Sets, FedCM, etc.
To meet this goal, requests to register for the deprecation trial will be reviewed to confirm eligibility. Specifically, third-party providers will need to demonstrate functional breakage in user journeys to be eligible. Because the deprecation trial is not intended to support cross-site tracking for advertising purposes, third-party embeds and services used for advertising will not be eligible. The ineligibility of advertising use cases will also help to ensure the deprecation trial does not interfere with the industry testing planned for the start of 2024 as described by the CMA.
Experiment timeline
Registration opens the week of November 27, 2023.
The trial will end on December 27, 2024.
Effective in Chrome versions M120 through M132
Blink component
Search tags
TAG review
None
TAG review status
Not applicable
Risks
Interoperability and Compatibility
Web Compatibility:
Despite 3PCs already being blocked in Firefox and Safari and developer outreach efforts to raise awareness and encourage developers to prepare for the deprecation, we currently estimate that a non-trivial number of sites are still relying on third-party cookies for some user-facing functionality. See Intent to Deprecate and Remove for more information: https://groups.google.com/a/chromium.org/g/blink-dev/c/RG0oLYQ0f2I/m/xMSdsEAzBwAJ
Interoperability:
Both Firefox and Safari have removed default access to third-party cookies already, though there are small differences in how browsers treat SameSite=None cookies in so called “ABA” scenarios (site A embeds site B, which embeds site A again). Chrome ships the more secure and more restrictive variant, and from initial conversations we are optimistic that other browsers will adopt it as well. There are also subtle differences in how browsers restore access to third-party cookies through mechanisms such as heuristics or custom quirks. Where Chrome implements similar measures (such as the heuristics), we try to follow the launch and standards processes to achieve as much interop as we can, given other requirements such as privacy and security.
Gecko: Shipped/Shipping
WebKit: Shipped/Shipping
Web developers: Mixed signals (https://privacysandbox.com/news/privacy-sandbox-for-the-web-reaches-general-availability/#:~:text=The%20Benefits%20of%20Collaboration) As one of the most impactful changes to the web platform in a long time, the deprecation of 3rd party cookies and the introduction of alternative APIs have received a lot of helpful feedback from web developers to an extent impossible to summarize in a few sentences. As described in the summary, the Privacy Sandbox wants to ensure that a vibrant, freely accessible web can exist even as we roll out strong user protections and we will continue to work with web developers to understand their use cases and ship the right (privacy-enhancing) APIs. And we’ve received feedback that gives us confidence that we’re on the right track.
Other signals:
Activation
Impact on the Ads ecosystem:
A suite of APIs for delivering relevant ads, measuring ad performance, and preventing fraud and abuse are now generally available in Chrome to continue to facilitate ad-supported content on the web. We continue to work closely with the UK Competition and Markets Authority (CMA) on evaluating the impact of this change on the ads ecosystem.
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Ongoing technical constraints
None
Debuggability
Developers may use the command-line testing switch --test-third-party-cookie-phaseout (available starting Chrome 115) or enable chrome://flags#test-third-party-cookie-phaseout (available starting Chrome 117), to simulate browser behavior with default access to third-party cookies removed. We also started reporting DevTools issues for cookies impacted by the deprecation starting in Chrome 117 to help identify potentially impacted workflows. We are continuing to improve our developer documentation on debugging third-party cookies usage, and guidance on migration to new APIs.
https://developer.chrome.com/blog/cookie-countdown-2023oct/
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
No
Third-Party Cookies will be deprecated on Windows, Mac, Linux, Chrome OS, Android. The deprecation will not affect Android WebView for the time being, where 3PCs are already blocked by default, but can be re-enabled by the embedding application.
Is this feature fully tested by web-platform-tests?
Yes
Yes. We have put together a set of WPTs which cover third-party cookie blocking for subresource requests. It is not yet comprehensive, we are working on adding additional tests to support our standardization efforts.
Flag name on chrome://flags
test-third-party-cookie-phaseout
Finch feature name
None
Non-finch justification
None
Requires code in //chrome?
False
Launch bug
https://launch.corp.google.com/4276016
Estimated milestones
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5133113939722240
Links to previous Intent discussions
Mike Taylor
LGTM for a deprecation trial from M120 to M132. For those of you who have followed my career (all 2 of you), it shouldn't come as a surprise that I appreciate the desire and efforts to minimize the compat implications for sites that are earnestly moving towards this brave new post-3rd-party cookies world.
(Note: I don't work on third-party cookie deprecation but I would
have landed on a similarly recommended timeline for
migration/deprecation. Thanks for being accommodating and
realistic to the complicated demands of web development and
deployment of different use-cases.)
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK7rkMgacVy4YDA4T6z72mEPfwGst3O1_GbB8jF_W5kBwPyAXA%40mail.gmail.com.
Ben Kelly
Ben Kelly
Ben Kelly
Joshua Hood
Hi Blink API owners,
We would like to request your approval for adding a first-party version of this Deprecation Trial. This will be helpful for top-level origins that also need additional transition time, in cases where it is impossible, impractical or unnecessary to sign the affected third-party (3P) providers up for the 3P deprecation trial. This deprecation trial temporarily provides cross-site cookie access for non-advertising use cases.
This has been requested by web developers on threads such as the I2D&R thread for third-party cookies.
Our proposed timelines for this trial remain unchanged:
Registration opens the week of January 15, 2024 [1]
The trial will end on December 27, 2024
Effective in Chrome versions M120 through M132
[1] As communicated previously, the grace period that we are providing for the third-party deprecation trial also applies to the first-party deprecation trial. Additionally, to minimize user impact before registration for the trial opens, Chrome will provide temporary access to third-party cookies for sites with reported user-facing breakage during this grace period.
Chris Harrelson
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4e6f1196-440e-4212-bf88-8bc68cd700b2n%40chromium.org.
Johann Hofmann
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9wHa6O6VPRX5GtfTuhx5whJ1DUt2EAUrfLU650Gaet8w%40mail.gmail.com.
Brett McStotts
Ben Kelly
I'm interested in the first-party version of the 3PDC Deprecation Trial for top-level origins. I've already registered my domain for the DT for the third-party version. My token is technically already first-party; I did not enable "Third-party matching" as instructed under providing the token in an HTTP header. Can I use my existing token for the upcoming first-party version for top-level origins? Or will this be a separate registration process where I need a different token?
Johann Hofmann
Announcement blog: https://developers.google.com/privacy-sandbox/blog/3pcd-first-party-deprecation-trial-available
Documentation: https://developers.google.com/privacy-sandbox/3pcd/temporary-exceptions/first-party-deprecation-trial
Thanks,
Johann