It is important for sites and services to prepare for third-party cookie restrictions, including moving to more private alternatives.
To help developers with the transition, throughout this period Chrome also uses heuristics that grant temporary access to third-party cookies, for predefined flows, in order to mitigate breakage. In specific scenarios the access is granted automatically without incremental work from developers, but this is a temporary measure, with the expectation that the heuristics will be removed completely in the future and developers are expected to migrate to long term solutions.
Heuristics based exception scenarios
{# disableFinding("pop-up")} The scenarios that heuristics intend to identify are primarily authentication where a top-level site either opens a pop-up window or redirects to a third-party site for an operation and then returns to the top-level site, making use of a cookie either on that return journey or in the embedded context.
The following examples describe scenarios in which the browser would automatically grant third-party cookie access based on certain confidence signals. These confidence signals are largely pattern-based and rely on user interaction requirements.
Scenario A - Third party cookie access after pop-up interaction
- The user navigates to Site A
- The user loads a resource on Site B in a pop-up window with opener access, possibly following a set of HTTP redirects*.
- The resource on Site B receives a user interaction after being loaded.
For 30 days after this flow, Site B is allowed third-party cookie access when embedded on Site A.
Scenario B - Third party cookie access after interaction across redirects
- User begins on Site A, and is then redirected to Site B.
- Site B receives a user interaction.
- Site B then redirects back to Site A (possibly through other origins).
For 15 minutes after this flow, Site B is allowed third-party cookie access when embedded on Site A.
The cookie access grant applies only to the pair of first-party site and third-party site. For example, if a scenario is met with first-party-site a.com
and third-party site b.com
, then any page on b.com
is allowed to access cookies when loaded as a resource or iframe on any page on a.com
. This grant does not apply to other third-party sites under a.com
, b.com
as a third-party resource of another top-level domain, or b.com
when indirectly embedded on a.com
with other cross-site (i.e. not a.com
or b.com
) iframes in the intermediate ancestor chain . Additionally, cookie access shouldn't be granted to resources of b.com
embedded by other iframes which are cross-site to b.com
.
For more detailed information about the heuristics you can read the corresponding explainer.
The heuristics-based exceptions demo lets you test third-party cookie access with and without heuristics exceptions.