Open wongbryan opened 8 months ago
I cannot reproduce.
Can you please clarify what chrome://flags your are using? Have you changed any default devtools settings? (preserve log, etc)
Please see attached screen recording. I have enabled #test-third-party-cookie-phaseout in chrome://flags and also disabled all third party cookies in chrome://settings/trackingProtection. https://github.com/GoogleChromeLabs/privacy-sandbox-dev-support/assets/26299742/c7e4d32d-812b-416a-909c-992183a250d9
The movie does not show the figma tab being reloaded after changing the cookie setting. Did you try that?
Also, can you please show your chrome://flags page?
I restarted chrome multiple times. Unable to send screenshot of chrome://flags atm, but I have enabled the third party cookies deprecation flag and that’s it
On Mon, Feb 12, 2024 at 3:09 PM Ben Kelly @.***> wrote:
The movie does not show the figma tab being reloaded after changing the cookie setting. Did you try that?
Also, can you please show your chrome://flags page?
— Reply to this email directly, view it on GitHub https://github.com/GoogleChromeLabs/privacy-sandbox-dev-support/issues/252#issuecomment-1939479841, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGIU2XSWBMIW6NCOLSMLQ6LYTJZGFAVCNFSM6AAAAABDB63GRGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZZGQ3TSOBUGE . You are receiving this because you authored the thread.Message ID: @.*** .com>
here is a SS of my chrome://flags page
Have you added a cookie exception by clicking this icon in the omnibox?
You would then see something in chrome://settings/trackingProtection like this:
[edited]
Just to double check: have you tried hard-refreshing figma.com after changing chrome://settings/trackingProtection
to block all third-party cookies?
Not sure if it's relevant, but are you in a Chrome Enterprise environment?
@wanderview I have not added a cookie exception for Figma. See attached screenshot (the omnibox says third party cookies are blocked, but the issues panel disagrees):
@samdutton I have hard refreshed and the issues panel has the same message. I am in a chrome enterprise environment (on a work laptop)
It seems possible your enterprise admin is applying a cookie exception via an enterprise policy.
You can observe enterprise policies on chrome://policy. Look for an entry with the policy name "CookiesAllowedForUrls".
@wanderview There is no entry for "CookiesAllowedForUrls" and figma.com is not listed in any of the policy domains. I just found this page: https://github.com/amaliev/3pcd-exemption-heuristics/blob/main/explainer.md and though this is related, but I disabled the heuristics exceptions by disabling the Third-party Cookie Grants Heuristics Testing flag, Figma is still able to read third party cookies. I wonder though if there's some behavior in Figma's web editor that is causing 3PC exceptions. Again, can you verify that you are unable to repro this? Please note that this issue only occurs in Figma's web editor UI, but not on the Figma homepage. You can repro by visiting this link and opening the chrome issues console while on this page:
Hey @wongbryan , thanks for reporting this issue - it looks like the description in the Issues panel is poorly worded. This message is shown on sites that have 3PCD mitigations enabled, but doesn't respect the "Block all third-party cookies" setting, or other reasons why the cookie might actually be blocked. To clarify, the actual cookie behavior is correct and matches the Tracking Protection dialog in the omnibox - all third-party cookies are blocked when the "Block all third-party cookies" setting is enabled.
I am following up on the Issues panel fix in https://issues.chromium.org/u/4/issues/325310946.
I’m not sure if that is true. If third party cookies are truly being blocked on that page then the app I am loading should NOT be able to authenticate itself with our servers. However, the plugin runs as expected, so I suspect it is using a validated session cookie from our server (which would be a third party cookie since this is in figma page).
I still can't reproduce this. Even with the editor link above the devtools warnings still go away when I block all 3P cookies and reload the figma tab. Instead I see this in devtools:
Note: I had to test in a profile that was not part of our corp enterprise policy.
@wanderview This is strange. I asked a coworker to block 3PC and opt into the 3PCD flag and test it. He is experiencing the same issue as I am where 3PC are allowed in Figma. Another coworker reported that 3PC are being blocked as they are supposed to be. I feel like this is probably a bug. Is there a way to investigate further?
I think we would need to see your chrome://flags and chrome://settings/trackingProtection pages. There is probably a setting somewhere that is inconsistent.
chrome://flags
chrome://settings/trackingProtection
Thanks @wongbryan, this seems to be an issue with the #test-third-party-cookies-phaseout flag. You can use #tracking-protection-3pcd to the same effect but it shouldn't result in that message when blocking all third party cookies is turned on.
I'll also note that we might have to revisit showing this message for same-site origins (figma.com / www.figma.com), as that seems confusing, obviously *.figma.com is allowed to set cookies on that site, no matter the setting (except if you block first-party cookies).
Ah @amaliev I think you already fixed the same-site issue with crrev.com/c/5296183, right?
Yes, with that change we only show the message if a cookie is allowed, because of 3PCD mitigations. It will prevent firing the message for same-site cookie access as well.
Disabling #test-third-party-cookies-phaseout and enabling #tracking-protection-3pcd works for me. thank you for the help! I think I should flag here that enabling #test-third-party-cookies-phaseout not only causes the message shown above, but also was mistakenly allowing 3PC on the webpage. I was able to access features that required reading 3PC when the message was shown, so I dont think the bug was purely cosmetic. not sure if this useful but fyi
Thanks for confirming, Bryan! This is a separate, unrelated issue where the #test-third-party-cookies-phaseout flag doesn't handle the "Block all third-party cookies" setting properly. This does not affect production users.
I've disabled third party cookies by enabling the experiment flag and also via Setting > Tracking Protection > Block all third party cookies
If I go to www.figma.com and open the issue panel in Chrome, I see a message saying Figma is allowed to read third party cookies.
This does not happen on other websites, only on Figma. can anyone else repro?