Temporary third-party cookie access using heuristics based exceptions.

It is important for sites and services to prepare for third-party cookie restrictions, including moving to more private alternatives.

To help developers with the transition, throughout this period Chrome also uses heuristics that grant temporary access to third-party cookies, for predefined flows, in order to mitigate breakage. In specific scenarios the access is granted automatically without incremental work from developers, but this is a temporary measure, with the expectation that the heuristics will be removed completely in the future and developers are expected to migrate to long term solutions.

Heuristics based exception scenarios

{# disableFinding("pop-up")} The scenarios that heuristics intend to identify are primarily authentication where a top-level site either opens a pop-up window or redirects to a third-party site for an operation and then returns to the top-level site, making use of a cookie either on that return journey or in the embedded context.

The following examples describe scenarios in which the browser would automatically grant third-party cookie access based on certain confidence signals. These confidence signals are largely pattern-based and rely on user interaction requirements.

  • The user navigates to Site A
  • The user loads a resource on Site B in a pop-up window with opener access, possibly following a set of HTTP redirects*.
  • The resource on Site B receives a user interaction after being loaded.

For 30 days after this flow, Site B is allowed third-party cookie access when embedded on Site A.

  • User begins on Site A, and is then redirected to Site B.
  • Site B receives a user interaction.
  • Site B then redirects back to Site A (possibly through other origins).

For 15 minutes after this flow, Site B is allowed third-party cookie access when embedded on Site A.

The cookie access grant applies only to the pair of first-party site and third-party site. For example, if a scenario is met with first-party-site a.com and third-party site b.com, then any page on b.com is allowed to access cookies when loaded as a resource or iframe on any page on a.com. This grant does not apply to other third-party sites under a.com, b.com as a third-party resource of another top-level domain, or b.com when indirectly embedded on a.com with other cross-site (i.e. not a.com or b.com) iframes in the intermediate ancestor chain . Additionally, cookie access shouldn't be granted to resources of b.com embedded by other iframes which are cross-site to b.com.

For more detailed information about the heuristics you can read the corresponding explainer.

The heuristics-based exceptions demo lets you test third-party cookie access with and without heuristics exceptions.