Steps to make your Third-Party cookies work as before

2024's hottest topic. Are you ready to react?

Welcome to our 143rd edition!

šŸ”„ Top Stories

  1. Sunsetting of Cookies šŸ˜ļø Cookie less browsing, well how does that look like? - Itā€™s certainly going to be a bummer for a lot of marketing folks as they heavily depend on third-party cookies.

  2. How Google perfected the World Wide Web that we know today

  3. In Chrome DevTools, hold shift while hovering over a request and it will highlight the initiator in green and dependencies in red.

šŸŒŸ Spotlight

The hot topic of this year is definitely about Chrome sunsetting the 3PC (Third-Party Cookie) support. This puts various multi-billion dollar digital marketing companies at risk.

Well, letā€™s say it, the primary candidate who gets affected by this change is Google šŸ¤£. They are the market leader by a very large margin in the advertisement industry.

Do you think they would make changes so drastically that would make it impossible for digital marketing and digital advertisements to survive?

Well, I heard all of you. The answer is a big NOOOO.

With that in mind, letā€™s dive into the changes made by Chrome to prevent 3PC support (aka SameSite=None;) and how you can solve your problem.

Letā€™s take ourselves back in time to understand how it all started.

Now that we have some idea of the timeline of events that leads us to where we are, letā€™s understand what the future has for us.

Iā€™ll try to address some of the common problems that will arise out of this phase-out program.

1P Cookies

No change in the usage of 1P cookies. 1P cookies are the ones set by the site itself and are used for authentication, shopping cart, and various other use cases related to the customer experience.

If you depend only on 1P cookies, this change will not affect you.

2P Cookies

Meh, if you expect something in this one, you should go learn more about web cookies šŸ¤£

In short, there are no 2P cookies. You have 2P data but thatā€™s not of importance here.

3P Cookies

You will have issues to address. 3P cookies are the ones set by digital marketers/advertisers to track the customersā€™ experience across sites to personalize the advertisements and recommendations for individual users. GDPR, and CCPA, all have problems with individual identity which leads to a larger impact as one saw during the Cambridge Analytica scandal.

But, 3P cookies are not just used for marketing right? There could be legitimate use cases that need the sharing of cookies cross-site (3P). SSO (Single-Sign-On), Sharing the Shopping cart across sites under the same parent, ā€¦

OK, How do I know if I have a 3P cookie?

Good question!

Taking Google Chrome as an example, you navigate to the Developer Tools, Select the Applications tab, and Select Storage, and Cookies from under it.

If you see something like:

SameSite=None;, then it is a 3P cookie.

Mine is a legitimate use case, how can I protect myself?

Hmm, I understand you pal. As I see, you have a few options:

1. CHIPS (Cookies Having Independent Partitioned State)

Donā€™t ask me if they came up with the acronym or the full version first šŸ¤£

This name seems better aligned šŸ˜‰

You know I didnā€™t understand any of the above, right?

Well, sure. Neither did I, until I spent some time understanding them so you donā€™t have to. (You will definitely thank me, later!)

Letā€™s go over some common use cases and see what can be applied.

Use case 1

Iā€™m the owner of the multi-billion dollar e-commerce brand. It sells shoes, groceries, meat, books, and so on. The funny thing is when I developed this, I set up new TLDs (.com, .org, .co, ā€¦) for each and every product catalog. Silly me!

But I did one great thing, you shop in one store, your shopping cart is shown in other stores as well. You know, easy checkout šŸ¤£

Me: šŸ˜šŸ¤¦ā€ā™‚ļø You Mr. Intelligent owner have to address this issue or be ready to run out of your business soon.

Mr. Intelligent Owner: Please help me solve my issue, as a reciprocation, I will ensure to read your newsletter always.

Me: Yeah, you never will. But, I will help you, donā€™t worry.

With your use case, I see that it is enough when you say the collection of all your TLDs is related. You can use RWS approach to solve your problem.

{
    "primary": "https://your-main-site.com",
    "associatedSites": [
        "https://your-site-1.com",
        "https://your-site-2.com",
        "https://your-site-3.com",
        ...
    ]
}

You should then go ahead and raise a GitHub PR (Pull Request) here - https://github.com/GoogleChrome/related-website-sets. You can read more about the guidelines here. (Not mandatory, see why?)

Mr. Intelligent Owner: Thatā€™s it? Now everything will get back to normal? I felt like I didnā€™t make any change at all.

Me: Didnā€™t I tell you? šŸ¤£šŸ¤£šŸ¤£

Well, there is one more thing. You cannot anymore access these 3p cookies directly via document.cookie.

You need to access them via Storage Access API by invoking requestStorageAccess() method. This will not invoke the request prompt for users to access the storage as the GitHub PR grants default access. Actually, you can even skip submitting a GitHub PR but that would request the storage access directly from the users every time the site is trying to access a 3P cookie.

Mr. Intelligent Owner: This seems to be more of a workaround for privacy and also ensuring Google stays unaffected.

Me: šŸ¤« Shhh.

Use case 2

Youā€™re a digital marketer and you want to understand the user experience across various sites to suggest recommendations and ads. This way, your cookie is lying around all the customersā€™ websites (Assuming you have trackers on all of these websites), you will hence be able to understand what customers did on each of these websites using your 3P cookies.

Me: Itā€™s a little tricky. You will not be able to get the whole experience as in older times but you can still exist. Now, along with your SameSite=None; attribute, you will have to add an additional attribute Partitioned and of course, this must be added with Secure attribute.

Digital Ad agency owner: What the hell is that? šŸ˜”šŸ¤¬

Me: Calm down, Mr. owner. Let me explain.

Digital Ad agency owner: Do it faster šŸ˜”

Me: OK OK OK. Here you go.

Earlier case:

Unpartitioned cookie experience

Youā€™re the Digital Ad Agency (C) and you dropped your tracking cookie (hopefully with consent šŸ˜‰) on sites A.com, and B.com.

Now, Iā€™m that unfortunate customer who visits A.com (an e-commerce site) and browses Mobile phones. I get bored and open B.com (A social network) to chat with friends.

Now, C being you, knows about my activities on both these sites, and since you also know my search history and interests, you suggest ads about Mobile phones on B.com. I get chills. I feel like someone is watching me. Someone knows what I am going to buy. I get paranoid and close the laptop.

A while later, with a fresh mind, I opened B.com and this time I ended up purchasing a mobile phone.

You Mr. C has controlled my actions. You get profits.

While silly me get paranoia and a stupid mobile phone that doesnā€™t even hold the charge for an hour straight šŸ¤¦ā€ā™‚ļø 

While, Mr. Digital Ad owner, you may not be able to do this exactly. You can still get me paranoid a bit differently.

Partitioned Cookie Experience

Letā€™s take the same example of A.com and B.com.

You Mr. C still track me, you can still know what I do in A and B.coms, but you wonā€™t be able to use that information across different websites. In other words, you can only suggest ads on A.com using cookies you track from A.com and likewise. For this to even happen, you need to modify your cookies to use Partitioned, Secure attributes along with SameSite=None;

Mr. Digital Ad Agency Owner: OMG. Iā€™m getting paranoid now. What can I do?

Me: Karma is a bitch! Iā€™m just returning the favor. Well, you canā€™t do anything just like how I couldnā€™t do anything earlier.

Authentication

Performance

šŸ˜‚ Fun memes

The struggle is real! Itā€™s worse than responsive design support. We should call it paper design šŸ¤£

šŸ’¬ What do you think about this?

Just hit reply and let us know your thoughts!

šŸ“¢ Calling for contributions

This newsletter thrives on community contributions. Your expertise, insights, and experiences matter to us! We're open to featuring articles written by our readers.

If you have a valuable perspective, a TypeScript tip, or a frontend engineering story to share, we welcome your submissions!

Just hit reply, and we will connect!

šŸŒ» Your support matters! šŸŒ»

Researching and writing high-quality articles demands considerable time and effort. As this newsletter is offered for free and managed alongside a full-time commitment, your support can help sustain its quality and growth.

If you enjoy the content and find it valuable, please consider supporting my efforts by visiting this link. Every contribution helps in maintaining and enhancing the newsletter's content and reach.

Thank you for being part of this journey!

Reply

or to participate.