Proposal for new `Partitioned` cookie attribute from Kaustubha Govind on 2021-04-30 (ietf-http-wg@w3.org from April to June 2021)

From: Kaustubha Govind <kaustubhag@google.com>
Date: Fri, 30 Apr 2021 12:31:51 -0400
To: ietf-http-wg@w3.org
Cc: Dylan Cutler <dylancutler@google.com>
Message-ID: <CAHTnisTDyOwKGg-p7_UypeumVfoFsS-0SbnHvxbQF9tutFfWwg@mail.gmail.com>

Hi all,

I am part of the Chrome team working to phase-out third-party cookies; and
would like to invite your feedback on our proposal to introduce a new
`Partitioned` cookie attribute: https://github.com/DCtheTall/CHIPS

While third-party (cross-domain) cookies enable tracking across the web,
there are also use cases on the web today where cross-domain subresources
require some notion of session or persistent state. In these scenarios, the
intention for the cookies is not to track across sites, but to provide a
notion of session (or state) to embedders for a user's activity within a
single top-level context.

Our proposal is to introduce a new opt-in cookie attribute, `Partitioned`,
which servers can use to indicate they’d wish to set a cross-site cookie
which is partitioned by top-level site.

I should also point out that Firefox recently started partitioning all
third-party cookies by default in the ETP Strict mode [1]. We prefer an
opt-in approach to ensure that developers fully understand what semantics
to expect, and avoid potential confusion and site compatibility issues. In
addition, the WebKit team also recently proposed using the Storage Access
API to allow embeds to optionally request access to partitioned cookies
[2]. We think using a cookie attribute will be more efficient than a
JavaScript-based approach.

The motivation for this work is that when major browsers no longer support
unpartitioned third-party cookies, these Partitioned cookies should not be
subject to the same cross-site cookie restrictions as unpartitioned
third-party cookies. This would allow third parties to continue to use
cookies without giving them the capability of storing cross-site
identifiers on users’ machines.

We understand that this attribute will likely not be applicable to all HTTP
clients. At this time, we would like to incubate the idea in the WICG and
are asking for feedback/support here:
https://discourse.wicg.io/t/proposal-cookies-having-independent-partitioned-state-chips/5290

Thank you,
Kaustubha Govind
Engineering Manager, Chrome

[1] https://hacks.mozilla.org/2021/02/introducing-state-partitioning/
[2] https://github.com/privacycg/storage-access/issues/75

Received on Friday, 30 April 2021 16:32:17 UTC