Below is a summary of the Cookies Having Independent Partitioned State (a.k.a. CHIPS) explainer: GitHub - DCtheTall/CHIPS: A proposal for a cookie attribute to partition cross-site cookies by top-level site. If you are interested in learning more about this proposal, I recommend reading the entire proposal there.
Major browsers have already begun to restrict cookies sent in cross-site contexts (i.e. third-party cookies) since these cookies have the potential to identify users and track their behavior across different top-level sites.
In these cases, the cross-site requests are for sites who are owned by a different organization than the owner of the browser’s top-level site, so First-Party Sets are not sufficient to meet these use cases.
We propose a new opt-in cookie attribute,
Partitioned, which servers can use to indicate they’d wish to set a cross-site cookie which is partitioned by top-level site.
Set-Cookie: __Host-sid=a3e9f; Secure; HttpOnly; Path=/; Partitioned;
Then the resulting cookie would only be sent to embed.saas.com when the browser’s top-level site is example.com. In other words, if the user navigates to a different top-level site that makes cross-site requests to embed.saas.com, those requests would not include the cookie set on example.com.
When major browsers no longer support unpartitioned third-party cookies, these
Important takeaways from the explainer
- Opt-in cookie attribute,
Partitioned, instead of partitioning by default.
- Browsers must enforce that
Partitionedcookies also adopt other semantics which help improve the security of cookies by requiring that in order to use
Partitioned, a cookie must also use the
- Browsers must enforce limitations on the size of a third party’s cookie jar per-partition, but not across different partitions, in order to avoid leaking cross-site information to third parties.