During the third-party cookie deprecation testing period, it is important for sites and services to prepare for third-party cookie restrictions, including moving to more private alternatives. Subject to addressing any remaining competition concerns of the UK's Competition and Markets Authority, Chrome will ramp up third-party cookie restrictions to 100% of users from early 2025.
To help developers with the transition, throughout this period Chrome also uses heuristics that grant temporary access to third-party cookies, for predefined flows, in order to mitigate breakage. In specific scenarios the access is granted automatically without incremental work from developers, but this is a temporary measure, with the expectation that the heuristics will be removed completely in the future and developers are expected to migrate to long term solutions.
Heuristics based exception scenarios
The scenarios that heuristics intend to identify are primarily authentication where a top-level site either opens a pop-up window or redirects to a third-party site for an operation and then returns to the top-level site, making use of a cookie either on that return journey or in the embedded context.
The following examples describe scenarios in which the browser would automatically grant third-party cookie access based on certain confidence signals. These confidence signals are largely pattern-based and rely on user interaction requirements.
Scenario A - Third party cookie access after pop-up interaction
- The user navigates to Site A
- The user loads a resource on Site B in a pop-up window with opener access, possibly following a set of HTTP redirects*.
- The resource on Site B receives a user interaction after being loaded.
For 30 days after this flow, Site B is allowed third-party cookie access when embedded on Site A.
Scenario B - Third party cookie access after interaction across redirects
- User begins on Site A, and is then redirected to Site B.
- Site B receives a user interaction.
- Site B then redirects back to Site A (possibly through other origins).
For 15 minutes after this flow, Site B is allowed third-party cookie access when embedded on Site A.
The cookie access grant applies only to the pair of first-party site and third-party site. For example, if a scenario is met with first-party-site a.com and third-party site b.com, then any page on b.com is allowed to access cookies when loaded as a resource or iframe on any page on a.com. This grant does not apply to other third-party sites under a.com, b.com as a third-party resource of another top-level domain, or b.com when indirectly embedded on a.com with other cross-site (i.e. not a.com or b.com) iframes in the intermediate ancestor chain . Additionally, cookie access shouldn't be granted to resources of b.com embedded by other iframes which are cross-site to b.com.
For more detailed information about the heuristics you can read the corresponding explainer.
The heuristics-based exceptions demo lets you test third-party cookie access with and without heuristics exceptions.