Cookies Having Independent Partitioned State (CHIPS)

Author

Himanshu

Date Published

Category

Tech
without-cookie-partitioni-bb0cbbf0c63d.png

What is CHIPS?

Cookies Having Independent Partitioned State (CHIPS) allows developers to opt a cookie into partitioned storage, with separate cookie jars per top-level site, improving user privacy and security.

Without partitioning, third-party cookies can enable services to track users and join their information from across many unrelated top-level sites. This is known as cross-site tracking.

CHIPS, the Storage Access API, and Related Website Sets are the only way to read and write cookies from cross-site contexts, such as iframes, when third-party cookies are blocked.

without-cookie-partitioni-bb0cbbf0c63d.png

Without cookie partitioning, a third-party service can set a cookie when embedded in one top-level site and access that same cookie when the service is embedded in other top-level sites.

CHIPS introduces a new cookie attribute, Partitioned, to support cross-site cookies that are partitioned by top-level context.

Set-Cookie header:

Set-Cookie: __Host-name=value; Secure; Path=/; SameSite=None; Partitioned;

Javascript:

document.cookie="__Host-name=value; Secure; Path=/; SameSite=None; Partitioned;"

A partitioned third-party cookie is tied to the top-level site where it's initially set and cannot be accessed from elsewhere. This way cookies set by a third-party service can only be read within the same embedded context of the top-level site where they were initially set.

with-cookie-partitioning-d3df97804f836.png

With cookie partitioning, a third-party service that sets a cookie when embedded in one top-level site cannot access that same cookie when the service is embedded in other top-level sites.

With partitioned cookies, when a user visits site A and embedded content from site C sets a cookie with the Partitioned attribute, the cookie is saved in a partitioned jar designated only for cookies that the site C sets when it's embedded on site A. The browser will only send that cookie when the top-level site is A.

When the user visits a new site, for example site B, an embedded C frame won't receive the cookie that was set when C was embedded in site A.

If a user visits site C as a top level website, the partitioned cookie that C set when it was embedded in A won't be sent in that request either.

with-cookie-partitioning-a19ff8bdd6d0d.png

With cookie partitioning, a third-party service that sets a cookie when embedded in a site cannot access that same cookie even when the users visits the service as top-level site.

Use cases

For example, the site retail.example may want to work with a third-party service support.chat.example to embed a support chat box on its site. Many embeddable chat services today rely on cookies to save state.

top-level-site-retailexa-b1bf622bc028e.png

Top-level site retail.example embedding a third-party service support.chat.example.

Without the ability to set a cross-site cookie, support.chat.example would need to find alternative, often more complex, methods to store state. Alternatively, it would need to be embedded in the top-level page which introduces risks because it allows the support.chat.example script to have elevated privileges on retail.example, such as the ability to access authentication cookies.

CHIPS provides an easier option to continue to use cross-site cookies, without the risks associated with unpartitioned cookies.

Example use cases for CHIPS include any scenarios where cross-site subresources require some notion of session or persistent state that is scoped to a user's activity on a single top-level site, such as:

  • Third-party chat embeds
  • Third-party map embeds
  • Third-party payment embeds
  • Subresource CDN load balancing
  • Headless CMS providers
  • Sandbox domains for serving untrusted user content (such as googleusercontent.com and githubusercontent.com)
  • Third-party CDNs that use cookies to serve content that's access-controlled by the authentication status on the first-party site (for example, profile pictures on social media sites hosted on third-party CDNs)
  • Front-end frameworks that rely on remote APIs using cookies on their requests
  • Embedded ads that need state scoped per publisher (for example, capturing users' ads preferences for that website)

Why CHIPS uses an opt-in partitioning model

Where access to unpartitioned third-party cookies is blocked, a couple of other approaches to partitioning have been attempted.

Firefox announced that they are partitioning all third-party cookies by default in their ETP Strict mode and private browsing mode, so all cross-site cookies are partitioned by the top-level site. However, partitioning cookies without a third-party opt-in can lead to unexpected bugs, since some third-party services have built servers which expect an unpartitioned third-party cookie.

Safari previously tried partitioning cookies based on heuristics, but eventually chose to block them altogether, citing developer confusion as one of the reasons. Recently, Safari expressed interest in an opt-in based model.

What sets CHIPS apart from existing implementations of partitioned cookies is the third-party opt-in. Cookies must be set with a new attribute in order to be sent on cross-party requests once (unpartitioned) third-party cookies are obsoleted.

While third-party cookies still exist, the Partitioned attribute provides an opt-in to a more restrictive, more secure type of cookie behavior. CHIPS is an important step to help services make a smooth transition to a future without third-party cookies.