How will third-party cookie deprecation work for Chrome extensions?

[sebastiansandqvist]

Given a Chrome extension that uses a cookie for authentication into the extension itself, will third-party cookie deprecation break authentication for the extension?

How will this affect the following:

1. Requests made by the background script
2. Requests made by the extension in a Side Panel
3. Requests made by the extension in content embedded in an arbitrary webpage

From my reading, adding partitioned to the cookie would still result in case 3 (possibly also case 2) being broken.

I've found a related StackOverflow thread about the same issue: https://stackoverflow.com/questions/68610480/chrome-extensions-and-third-party-cookies-alternative

[DCtheTall]

Hey Sebastian, thank you for your feedback and question!

For (1), as far as I am aware, there are no plans to have 3P cookie deprecation impact how background contexts in extensions interact with cookies. An extension's background script will be able to use cookies for any site the extension has permissions. This includes HTTP requests and the chrome.cookies API.

For (2), I assume you mean custom DevTools panels that extensions can add? I myself have implemented a carve out for 3P cookie blocking which exempts these panels from this kind of blocking. If this is not what you mean, please let me know so I can make sure your concern is addressed.

For (3), are you referring to pages that embed an <iframe> that loads an extension URL? I assume so based on the SO post, but I want to confirm you are referring to that and not something else. If that is the case, we do not have a 3P cookie blocking exception in place, but this is an active area of development for us since we understand this is a pain point for developers.

[sebastiansandqvist]

Glad to hear that (1) is supported and that it sounds like (3) may be supported eventually.

For (2), I am referring to the SidePanel API. It sounds like a similar issue to the DevTools panels, though, so I am hopeful there's a similar solution.

[samdutton]

No replies in >4 months so I'll close this, but feel free to reopen if necessary.

[sebastiansandqvist]

@samdutton This issue is still unresolved, so I do not think it should be closed as completed. In particular, 3PCD will likely break Chrome extensions that make cookie-authenticated requests via the SidePanel. Do you have any updates on whether the concerns I outlined above have been or will be addressed prior to the full roll out of third party cookie deprecation?

[samdutton]

No worries @sebastiansandqvist — happy to reopen.

Also note that Chrome is proposing a new approach for user choice with third-party cookies: privacysandbox.com/news/privacy-sandbox-update.

[oliverdunk]

Hi @sebastiansandqvist, requests made from a side panel benefit from the same exception @DCtheTall mentioned previously. In particular, as noted here:

Third-party cookies are never blocked even in subframes if the top-level page for a given tab is a chrome-extension:// page.

This is a fairly broad exception which may be refined in the future but there aren't currently any plans to change that.