1 of 11

3PC Deprecation

Exemption Heuristics

TPAC 2023

2 of 11

Review - Third-party cookie deprecation

Most browsers have turned down support for third-party cookies, and others are on track to do so
This may cause user-facing breakage, particularly for auth flows
There have been proposals to mitigate this, but most of them involve support from site developers
We will discuss methods of automatically validating sites based on user behavior patterns, and providing them temporary 3PC access on that client
There should be a balance of mitigating user breakage while minimizing privacy and security risks

Current ecosystem - popup heuristic

Scenario:

Current ecosystem - popup heuristic

Formal heuristic:

A site is loaded in a pop-up window with opener access, possibly following a series of HTTP redirects
The site either receives a user interaction after it’s loaded, or it has received a user interaction in the past 30 days*
The loaded site receives 3PC access on the opener document for 30 days

This heuristic has been implemented by Firefox, and a similar one by Safari

* If there were any HTTP redirects in the popup, only user interactions after loading apply

Current ecosystem - redirect heuristic

Scenario:

Current ecosystem - redirect heuristic

Formal heuristic:

A third-party site redirects to a first-party site (possibly through other origins in between)
The third-party site has received a user interaction in the last 30 days
The third party receives 3PC access on the first party for 15 minutes

This heuristic has been implemented by Firefox

Privacy considerations

Collaborating entities may exploit these heuristics to obtain a 3PC exemption for tracking purposes
We also risk leaking user history data by proxy of whether storage access is granted for a particular user behavior

e.g. a 1P opens a popup to a 3P
The 1P then loads a resource from the 3P and checks to see if cookies are sent (e.g. by examining its maximum allowed size)
From this, the 1P can infer whether the user has been on the 3P in the last 30 days (and thus satisfies the heuristic)

Security considerations

A malicious first party may unilaterally force the heuristic via a popup or redirect to an arbitrary third party
A first party with a 3PC exemption may exploit the third party’s credentialed requests. This is an existing vulnerability that 3PCD aims to address.

e.g. a 1P opens a popup to a 3P and satisfies the heuristic
The 1P then embeds the 3P which is allowed to make credentialed requests on the 1P
The 1P hijacks these credentials and begins making cross-site credentialed requests to the 3P

Privacy and security - mitigations

Scope of cookie access - each grant is keyed by (first_party, third_party) and is valid only for the top-level site, first-level embeds, and nested same-site embeds
User signals - user interaction should be necessary for each heuristic, and a user may opt out
Duration - we could reduce the grant duration, but this increases user friction for cookies used for authentication
Control over heuristics - could we give third parties the capability to opt out and avoid abuse by malicious first parties?

Chrome's Proposal

Our starting proposal is outlined in the explainer
Given the security concerns, we do not propose solving for scenarios where only prior user interaction would be required
We plan to prototype with the popup heuristic with current interaction, as well as a modified redirect heuristic where:

Discussion

How often do these scenarios trigger?
Do you see them trigger for critical use cases?
How does removing support for these patterns impact the user-facing experience?
How long should the storage access grant last for each scenario?
How else would we modify the heuristics to balance mitigating site breakage and minimizing security risks?
How can we turn down support for these exemptions? (We welcome feedback on how to encourage the ecosystem to rely less on these heuristics.)