Third-party matching trial token loaded in top level site is still not allowing 3P cookies access

[annamalai87]

Our usecase(http://b/332975135) to access third party cookies for the origin https://pay.google.com is recently approved. We could successfully inject the trial token with third party matching in the top level site when it loads our script. Although developer tool shows the token is valid in the application tab, when the top level site loads the iframe with the origin pay.google.com is still unable to access the top level site cookies.

Here are the screenshots:

Top level site shows the trial token is injected:

Developer tool shows the trial token is valid:

Iframe with the origin pay.google.com still unable to access 3P cookies:

Same Iframe when we enable the option to access 3P cookies manually can access 3P cookies:

[hoodjoshua]

Can you confirm that you're using the following flag configuration?

chrome://flags/#third-party-cookie-deprecation-trial → enabled
chrome://flags/#tracking-protection-3pcd → enabled
chrome://flags/#tpcd-metadata-grants → disabled
chrome://flags/#tpcd-heuristics-grants → disabled

[wanderview]

Also please confirm you are not testing in incognito mode which uses a stricter form of 3P cookie blocking.

[hoodjoshua]

After taking a closer look at your demo page, the issue appears to be that after the script runs and injects the pay.google.com trial token, there is a pay.google.com iframe loaded without the trial token.

The trial is persistent, so loading an iframe from the token origin without the trial token will disable the trial. This is noted under the graphic here.

[annamalai87]

You are right about the trial being not persistent as soon as the first iframe was loaded without the token. However, after loading the iframe with the same token (By setting its origin-trial response header), still the trial seems to be disabled. Should we need to use two tokens? One for top level site with third party matching and another when loading the iframe?

[hoodjoshua]

Should we need to use two tokens? One for top level site with third party matching and another when loading the iframe?

Yes, you will need a different token for the iframe.

The "third-party matching" tokens are only for use by scripts that inject the token on other origins. The tokens that can be used by iframes are provided for trial registrations where the "third-party matching" box is not checked.