It is important for sites and services to prepare for third-party cookie restrictions, including moving to more private alternatives.
To help developers with the transition, throughout this period Chrome also uses heuristics that grant temporary access to third-party cookies, for predefined flows, in order to mitigate breakage. In specific scenarios the access is granted automatically without incremental work from developers, but this is a temporary measure, with the expectation that the heuristics will be removed completely in the future and developers are expected to migrate to long term solutions.
Heuristics based exception scenarios
The scenarios that heuristics intend to identify are primarily authentication where a top-level site either opens a pop-up window or redirects to a third-party site for an operation and then returns to the top-level site, making use of a cookie either on that return journey or in the embedded context.
The following examples describe scenarios in which the browser would automatically grant third-party cookie access based on certain confidence signals. These confidence signals are largely pattern-based and rely on user interaction requirements.
Scenario A - Third party cookie access after pop-up interaction
- The user navigates to Site A
- The user loads a resource on Site B in a pop-up window with opener access, possibly following a set of HTTP redirects*.
- The resource on Site B receives a user interaction after being loaded.
For 30 days after this flow, Site B is allowed third-party cookie access when embedded on Site A.
Scenario B - Third party cookie access after interaction across redirects
- User begins on Site A, and is then redirected to Site B.
- Site B receives a user interaction.
- Site B then redirects back to Site A (possibly through other origins).
For 15 minutes after this flow, Site B is allowed third-party cookie access when embedded on Site A.
The cookie access grant applies only to the pair of first-party site and third-party site. For example, if a scenario is met with first-party-site a.com
and third-party site b.com
, then any page on b.com
is allowed to access cookies when loaded as a resource or iframe on any page on a.com
. This grant does not apply to other third-party sites under a.com
, b.com
as a third-party resource of another top-level domain, or b.com
when indirectly embedded on a.com
with other cross-site (i.e. not a.com
or b.com
) iframes in the intermediate ancestor chain . Additionally, cookie access shouldn't be granted to resources of b.com
embedded by other iframes which are cross-site to b.com
.
For more detailed information about the heuristics you can read the corresponding explainer.
The heuristics-based exceptions demo lets you test third-party cookie access with and without heuristics exceptions.