Questions on the third party cookie removal

[willpowerforever2020]

Dear Chrome Team,

I have three questions on the third party cookie removal after reading through the pages below:
https://www.chromium.org/Home/chromium-privacy/privacy-sandbox#TOC-Turning-Down-Third-Party-Cookies
https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html
https://developer.chrome.com/docs/privacy-sandbox/first-party-sets/

1. Do you have an actual date planned for removing the third party cookie support?

2. What exactly the meaning of "Removing third party cookies"? How about if a website set its cookie with SameSite=none? Will this cookie be included in the cross-site request? Or the SameSite=none support will be removed by Chrome?

3. How's the use cases like two enterprise web applications UI integration through iframe (eg: one is embedded in another) can be supported? These web applications are owned by different company/organizations. This is quite normal for enterprise use cases. cookie used here is for SSO and pass through the authentication for the subsequent requests not for tracking. The first-party sets looks good to support an organization with multiple sites, but how about the sites are owned by different organizations? Who should be the owner, who should be the member? In addition, if one site need to be iframed by thousands of other sites, do we need to add all these domains to the .well-known list?

Looking forward to your answers!

Thanks!
Willpower

[rowan-m]

Hi @willpowerforever2020 - a few answers for you! I've included extra context for other people reading along who may not be as familiar with the proposals as you are.

Do you have an actual date planned for removing the third party cookie support?

We've now published https://privacysandbox.com/timeline and will keep that up to date with Origin Trial details and so on.

What exactly the meaning of "Removing third party cookies"? How about if a website set its cookie with SameSite=none? Will this cookie be included in the cross-site request? Or the SameSite=none support will be removed by Chrome?

There are a few components to this question. By default, no cookies will be sent in a cross-site context which includes cookies with SameSite=None. However, the aim of the Privacy Sandbox is to tackle cross-site tracking - not prevent sites from using cross-site resources. There are currently two proposals that aim to address this for cookies. CHIPS is intended to provide partitioned storage for cookies. This enables use cases such as embedded cross-site widgets that might require a Partitioned cookie for saving state or where a JavaScript client is hosted on one site and needs to include Partitioned cookies on a cross-site request to an API it depends on. The second proposal is First-Party Sets which provides a method for multiple sites to indicate that they are actually owned and operated by the same entity. For example, brand.co.uk and brand.com may well be the same organisation. This proposal would allow a cross-site request to brand.com from brand.co.uk to include SameParty cookies.

The I/O talk "Preparing for a more private web" includes a flow chart that maps out some of these use cases and how you want to plan for testing these proposals.

How's the use cases like two enterprise web applications UI integration through iframe (eg: one is embedded in another) can be supported? These web applications are owned by different company/organizations. This is quite normal for enterprise use cases. cookie used here is for SSO and pass through the authentication for the subsequent requests not for tracking. The first-party sets looks good to support an organization with multiple sites, but how about the sites are owned by different organizations? Who should be the owner, who should be the member? In addition, if one site need to be iframed by thousands of other sites, do we need to add all these domains to the .well-known list?

As you point out, First-Party Sets is not an appropriate solution here as these are clearly multiple parties.

CHIPS is hopefully a route forward for many of these use cases where it's a case of one site loading another in an iframe and that's the default form of access. For example, if I always go to corp-wrapper.com to access 3p-service.com via an iframe then Partitioned cookies would allow some functionality here. However, if I then visited 3p-service.com directly - those Partitioned cookies would not be accessible.

Specifically for SSO-related issues, I'd suggest following the WebID proposal, as this explores options for handling the federated identity use case.

For enterprises where you are specifically dealing with enterprise managed instances of Chrome, there are a number of enterprise policies that allow for control over default cookie behaviour. As an example, during the SameSite=Lax by default work the LegacySameSiteCookieBehaviorEnabledForDomainList policy was added, so I would not be surprised to see some additional options there.

Hope that helps a bit and happy to expand / explore these more!