privacycg / CHIPS

A proposal for a cookie attribute to partition cross-site cookies by top-level site
Other
131 stars 31 forks source link

"Block third-party cookies in Incognito" option and Partitioned attribute #63

Closed PetarPetrov03 closed 2 years ago

PetarPetrov03 commented 2 years ago

Hello,

I am sorry if this is not the correct place to ask my question. Feel free to point me to the correct place.

I have a question about the "Block third-party cookies in Incognito" option in Chrome. When we have this option checked, does it mean that third-party cookies will be blocked even if they have the "Partitioned" attribute set (when in incognito mode)?

We have the following scenario: we have two applications, the first one loads an iFrame and embeds a content from the second application. The second application sets some cookies all of which are set correctly with the "Partitioned" attribute (and all the other needed attributes). The option "enable partition cookies" in Chrome is enabled. When we make a call to the first application (NOT in incognito mode) the embedded content from the second application is loaded successfully. But when we call the first application in incognito mode (with "Block third-party cookies in Incognito" option enabled) the browser clearly shows that the cookies are blocked, even though they have the "Partitioned" attribute set.

So we were wandering if "Block third-party cookies in Incognito" option blocks them even if they are set with the "Partitioned" attribute and if this also applies for the "Block third-party cookies" mode. We would be really grateful if you could give us an answer if this is the currently expected behaviour and what will happen once third-party cookies are phased out?

P.S: Our idea to test with "Block third-party cookies in Incognito" option enabled is to test that cookies with "Partitioned" attribute will be available when third-party cookies are phased out, but perhaps this is not correct way.

Thank you very much in advance for the answer!

Best regards, Petar

DCtheTall commented 2 years ago

Hey @PetarPetrov03, thanks for your feedback.

In Chrome, cookies set with Partitioned are currently not subjected to third-party cookie blocking, since they cannot be used to track activity across different top-level sites.

The option "enable partition cookies" in Chrome is enabled.

You may need to enable partitioned-cookies-bypass-origin-trial in chrome://flags (in addition to partitioned-cookies) in order to enable the feature. This flag was added for the CHIPS origin trial and will be removed in Chrome 109. Although the OT has concluded, you need to include the flag to use the partitioned cookies feature until 109.

One way to check if the cookies have been set with Partitioned properly, open DevTools and check the Application > Cookies table entry for a Partition Key column. If the column is blank, then the cookie was not set as partitioned and will be blocked in third-party contexts in Incognito.