Is there a suggested method for dealing with browsers disallowing third party cookies without disabling cookies altogether?

[jrunyen]

We have an angular application using Application Insights that we're displaying on another site via an iframe and both Chrome and Firefox are warning that in future versions they will be dropping support for third party cookies and blocking the ai_user and ai_session cookies entirely.

Screenshot from firefox:

Chrome:

We have this same issue with our identity related cookies on this embedded site, but we could fix that by adding the Partitioned attributes to our cookies (google docs, mozilla docs) when they're initially written, but it doesn't seem like Application Insights has hooks for that currently

Is there any guidance on how we can handle this now or any features in the pipeline that would allow us to handle this situation without disabling the user tracking cookies entirely?

Steps to Reproduce

1. Host two sites with different domains (A, B)
2. Set up application insights on site B
3. Display site B within site A via an iframe
4. See warnings in latest versions of Firefox and Chrome with default security settings

[MSNev]

Interesting use-case, the key portion is point 1 host two sites with different domains.

I've tagged as an enhancement as this could be added as an optional configuration that could be used by the CookieMgr code.

Are the 2 domains related? ie. is there a common base domain?

If there is you can use the cookieDomain (or cookieCfg.domain) configuration to tell the SDK to use that as the domain when setting / creating cookies, rather than defaulting to the hosting page domain.

The existing cookie configuration options are here with the typedoc here

[vhhughes]

We have 25 .NET web apps that each run inside IFrames in the same way. (on a separate domain from the top page frame) We're in the middle of remediating them all with other cookies in use (i.e., adding partition keys), but could not find a way for the App Insights cookies to be similarly partitioned using its SDK. It doesn't appear to currently support it, and without it, our use of the SDK is going to break for tens of thousands of customers when Chrome & Edge are updated in August. We really need to be able to adopt an updated SDK and test long before then.

[MSNev]

One thing you can do in the meantime is to provide your own setcookie implementation. The default version (when you don't provide one is here, so the "value" is the content of the cookie so you (should) be able to just append the Partitioned value to the string, you can even target it based on the specific cookie name if needed.