Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cookies Having Independent Partitioned State (CHIPS) #30

Closed
DCtheTall opened this issue Nov 16, 2021 · 3 comments
Closed

Cookies Having Independent Partitioned State (CHIPS) #30

DCtheTall opened this issue Nov 16, 2021 · 3 comments

Comments

@DCtheTall
Copy link

Cookies Having Independent Partitioned State (CHIPS) is a proposal for a new cookie attribute, Partitioned. This attribute will indicate to user agents that these cross-site cookies should only be available in the same top-level context (top-level site or that site's First-Party Set if it has one) that the cookie was first set in.

In order to improve user privacy on the web, browsers are planning or have already begun to phase out third-party cookies (Chrome, Safari, Firefox). In order to continue to support cross-site cookie use cases which are restricted to a user's activity within a single top-level site, browsers have implemented and attempted to ship partitioned cookies, i.e. cookies which are only sent when a user agent is on the same top-level site as when the cookies were sent. For example, Firefox implemented partitioning cross-site cookies by top-level site by default in their Total Cookie Protection, which is enabled in ETP Strict mode. Safari previously tried implementing cookie partitioning, but eventually rolled it back. One of the stated reasons for the rollback was developer confusion with the partitioned semantics. They have since proposed leveraging the Storage Access API to allow developers to opt in to receiving partitioned state.

CHIPS differs from previous cookie partitioning design mainly because CHIPS requires third-party sites to set their cookies with the Partitioned attribute. We believe a third-party developer opt-in (instead of partitioning by default) will provide site owners the opportunity to migrate their system to the new cookie behavior before completely phasing out cross-site cookies that are set without the Partitioned attribute. In addition, it affords developers a choice between partitioned and unpartitioned cookies on user agents that continue to support unpartitioned cross-site cookies - whether by default, or for domains that may be allowlisted by user/device owner configuration. Unlike the Storage Access API, this proposal would also allow cross-site requests to receive cookies without requiring them to load a JavaScript execution context.

The developer opt-in also gives browser vendors an opportunity to incentivize developers to adopt best practices for cookies. For example, CHIPS requires cookies set with the Partitioned attribute must also be set with the __Host- prefix, requiring the cookies be host-bound and only sent over secure channels.

CHIPS also proposes to use the top-level site’s First-Party Set (FPS) owner as the partition key. This allows third-party service providers to use the same session identifier across sites within the same FPS, and allows them to serve common workflows such as single sign-on, and consent management across the sites, as long as they are within the same FPS.

Finally, our proposal also suggests user agents to not apply the 180 per-domain cookie limit to partitioned cookies, since this leaks information about users' state across different top-level sites. Instead, we recommend user agents apply a per-partition limit on the number of cookies that third-party domains can store. To prevent partitioned cookies from having a large memory footprint, we recommend that this limit be small, on the order of ~5-10 cookies.

Compatibility Considerations

Older clients will ignore the Partitioned attribute, and treat the cookie as unpartitioned in cross-site contexts. In order to allow developers to disambiguate requests coming from a partitioned context, we are also proposing modifying/adding a Fetch Metadata request header (w3c/webappsec-fetch-metadata/issues/80) to indicate when a request is coming from a partition context.

@krgovind krgovind added the agenda+ Request to add this issue to the agenda of our next telcon or F2F label Dec 2, 2021
@TanviHacks TanviHacks removed the agenda+ Request to add this issue to the agenda of our next telcon or F2F label Jan 11, 2022
@johannhof
Copy link
Member

Recapping key points from our discussion at yesterday's PrivacyCG call:

  • Reps from Chrome, Firefox, Safari and Edge were all generally supportive of CHIPS, of course with some details still to be figured out.
  • Firefox, Safari and Edge are also interested in exploring partitioning based on requestStorageAccess, however that is not blocking progress on CHIPS.
  • Some of the more detailed concerns that were discussed:
  • In Slack there was also a conversation around the right venue for standardization. Given the positive signals from PrivacyCG I'm inclined to think that it might be a good place for incubation, but generally the primary venue for standardization is the HTTP WG, pending some decision on Cookie layering httpwg/http-extensions#2084

Another detail that wasn't discussed because we were out of time was giving servers more context on requests, which is now part 6 of privacycg/meetings#19

Overall I think we made great progress!

@bvandersloot-mozilla
Copy link

As Johann captured, and to provide a little more context, given our move toward standardizing on blocking third-party cookies by default, Mozilla is supportive of CHIPS, pending details.

@johannhof
Copy link
Member

It's probably fine to close this issue, given that we've had https://github.com/privacycg/CHIPS for a long time now :)

@privacycg privacycg deleted a comment from Sarrac3873 Jan 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants