The --test-third-party-cookies-phaseout setting in Canary does not seem to block samesite:none cookies in top-level navigations.

[whitehatguy]

Hi Chrome Team,

We're trying to determine the impact of the removal of samesite=none cookies in Chrome; we've configured canary to test the third-party cookies phaseout, but we still see that Chrome both accepts samesite=none cookies and honors them on cross-site HTTP POSTs in the top-level browsing context.

Are cross-site cookies only being deprecated in nested browsing contexts and/or resource loads? Previous communications have implied a complete removal of cross-site cookies. I would have expected cross-site POST operations (which are not idempotent) to no longer send any form of cookies with privacy sandbox?

[krgovind]

Hi @whitehatguy; yes our current plan is to only deprecate default access to cross-site cookies in subresource/nested contexts.

Previous communications have implied a complete removal of cross-site cookies.

Would you be able to point me to these if these are online, so we can correct them?

I would have expected cross-site POST operations (which are not idempotent) to no longer send any form of cookies with privacy sandbox?

This is not within the current scope for third-party cookie deprecation in Chrome. Such a change will likely be very disruptive to the ecosystem since it would impact common web payments and identity flows; so we will need to ensure compatibility.

[whitehatguy]

@krgovind - certainly.

First, much of the communication around privacy sandbox declares it will make third-party cookies deprecated/obsolete. Example: https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html

The Chromium page discussing privacy sandbox asserts the following that implies that "third-party cookies" is equivalent to "samesite=none":

Requirement to label third party cookies as “SameSite=None, as well as require them to be marked Secure

Additionally, the Chrome documentation for phase out makes the following statements:

As part of the Privacy Sandbox project, Chrome is phasing out support for third-party cookies ...

Identify first-party and third-party cookies in your code. Cookies that contain SameSite=None will require updates.

The latter implies that "SameSite=None" is equivalent to "third-party cookies".

So, either one of two things needs to be clarified in these documents:

• If "SameSite=None" is semantically equivalent to "third-party cookies", then privacy sandbox needs to make it clear that the behaviors of third-party cookies in top-level navigations will remain untouched and that "Third Party Cookies" are not completely being phased out.
• If "SameSite=None" is not equivalent to "third-party cookies", then these documents should clearly indicate that these are different concepts.

I'm guessing the latter may be more appropriate, as news articles have already framed this as a complete phase-out of third-party cookies.

[krgovind]

Thanks for the pointers. I've passed this feedback on internally, and we expect to post some clarifications on this soon.

[vishparshav]

Hi,
We are seeing same behavior on our end where 3P cookie (set with SameSite=none) are not being blocked in cross site POST calls. Can you define what you mean by "cross-site cookies in subresource/nested contexts"?

I had added a similar question on this #191, would be worth getting a look at it to understand why in our case it works but does not work in example set to replicate the behavior in #191 (comment)

[ondrejkoboltvan]

Thank you for your professional reviews and advice, it helped me a lot, thank you again

[ondrejkoboltvan]

Thank you for your professional reviews and advice, it helped me a lot, thank you again