How to request end-users of our software to test future behavior (all third party cookies blocked, local/session storage partitioning enabled)

[ChasePattersonRaleigh]

Hi,

We have opted into both the storage partitioning deprecation trial (i.e. DisableThirdPartyStoragePartitioning) and third-party cookie deprecation trials.

Question 1: We would like to ensure our customers can test their sites with third party cookies entirely blocked in their browser (and local/session storage partitioning enabled). What's the best way to suggest to them to test this? Simpler would be better. I'm following the advice here, but since we are enrolled in those deprecation trials, I don't think it's as simple as telling them to set chrome://flags/#test-third-party-cookie-phaseout to enabled.

Here is my proposal for what steps to give the customers for 2 scenarios:

Scenario 1: Manual testing in chrome browser:

1. Set the following 7 flags to ensure all third party cookies get blocked on your site:

   chrome://flags#tracking-protection-3pcd: enabled
   chrome://flags#test-third-party-cookie-phaseout: enabled
   chrome://flags#third-party-cookie-deprecation-trial: disabled
   chrome://flags#top-level-third-party-cookie-deprecation-trial: disabled
   chrome://flags#tpcd-metadata-grants: disabled
   chrome://flags#tpc-phase-out-facilitated-testing: default 
   chrome://flags#tpcd-heuristics-grants: disabled

2. Also, ensure that CookiesAllowedForUrls and BlockThirdPartyCookies are not set as they can allow third party cookies. Check chrome://policy to see if they are set. If yes, then login to chrome using an unmanaged account and check that they are cleared.

Question 2: This seems a bit involved and I'm not sure if I've gotten everything correct. Is there any other condition that might allow third party cookies in a customer environment? Is there a more straightforward approach that would be easier to document and for customers to implement? For example, I suspect the following might have the exact same effect: Set chrome://flags#tracking-protection-3pcd AND chrome://flags#test-third-party-cookie-phaseout (actually not sure if this one is required here) to enabled, then in chrome://settings/trackingProtection, toggle "Block all third-party cookies". Can we just share that for this scenario instead of setting 7 flags, maybe they only need to set 1 or 2 flags. EDIT (March 27): I tried setting the two flags and setting block all third-party cookies as true in chrome://settings/trackingProtection and it didn't seem to block our third party cookies. I suspect it's because of the 3pc third-party deprecation tokens we provided on the iframed content. At least using the 6-7 flags seemed to work in some initial testing.

Scenario 2: Run automated tests with selenium:

1. Start chrome with the following flags set: --test-third-party-cookie-phaseout --enable-features=TrackingProtection3pcd --disable-features=TopLevelTpcdSupportSettings,TpcdHeuristicsGrants,TpcdMetadataGrants,TpcdSupportSettings

Note: I got those by setting the 7 flags in scenario 1 and copying the arguments directly from chrome://version.

Question 3: What is the expected behavior for local/session storage APIs when the above settings are used? It would be good to ensure the customer is testing the behavior of those APIs as they will be after Dec 27, 2024 when all the changes are effective. I am mostly asking because of some oddities I noticed in the APIs depending on if cookies are blocked or not and because we are also opted into the storage partitioning deprecation trial to temporarily reenable unpartitioned storage access. I'm doubtful the above settings will trigger the future storage partitioning behavior with respect to local/session storage APIs. Since we are removing the deprecation tokens for both of these on a similar timeline, it would be ideal for customer to test with those storage partitioning enabled as well BEFORE we remove the tokens for the trials.

Question 4: (related to last question): I have seen when third party cookies are blocked that local/session storage APIs throw an exception in third party contexts per this document. However, I'm not sure if that will always be the behavior going forward, even after Dec 27, 2024? I thought storage partitioning was supposed to allow those APIs to work in a third party context, so I'm a bit confused what's expected in the future and/or with our settings specified above. This makes it seem like local/session storage will never work in third party contexts.

[samdutton]

Just to say — your summary of flag usage looks correct. Will get back to you in response to your questions (thanks for these!)

[wanderview]

FWIW, there is now an origin trial that allows you to opt-in to having 3P cookies resitricted on your origin:

https://groups.google.com/a/chromium.org/g/blink-dev/c/3B5dIm_XXLE/m/MqadndJpBgAJ

[samdutton]

Given the changes since this issue was opened, I'm going to close it — but feel free to reoopen.