I pay for Youtube Premium, which uses third-party cookies to not show ads on embedded videos.
https://privacysandbox.com talks about advertising, but not "logged in elsewhere" functionality. Does Youtube or Google have something ready, or will all Youtube Premium subscribers see ads on embedded videos?
>Ads appear on brand safe sites: YouTube works diligently so that our advertisers' brands appear on sites that reflect our respective core values. Our systems closely evaluate websites and their content against various factors when finding out whether to turn on In-stream ads on YouTube embeds. These factors include a strict set of guidelines on content like adult imagery, violence, inappropriate and hateful language, and sites that promote infringement.
The recommended solution for embedded content is the Storage Access API, which has broad browser support. (I don't know that YouTube has implemented it yet, but I'd be surprised if it's not there soon.)
Oh, that's worrisome. I'm trying to implement it in our embedded content soon, because some of our customers got caught up in Chrome's third party cookie blocking 1% trial that started a week or two ago.
Any specific problems you ran into that you could share?
Aren't those just iframes, which is effectively just youtube loading inside an existing web page instead of its own tab. I would assume first party cookies would work just fine for this.
Nope, an iframe on an unrelated site is exactly what turns it into a third party cookie. (The user and the site they're visiting are the first two parties; the embedded site is the third party.)
Put another way, an ad iframe loading a tracking (identity) cookie is indistinguishable from a YouTube iframe loading a login (identity) cookie.
i still don't follow. i guess my point is, when an embedded video loads for me, youtube still knows that it's me. it gives me the same recommended videos i'd get if i were on youtube.com directly. so i assume since i pay for premium, it'd also skip ads on embedded videos too. i wouldnt know because i use ublock.
> when an embedded video loads for me, youtube still knows that it's me
If/when third party cookie blocking is fully deployed, this won't be true. Your browser won't send YouTube's session cookie to YouTube when it's loaded in an iframe on an unrelated site, so YouTube won't know you're a premium user.
I am not convinced this is ever going to actually happen. Google won't roll this out until they are sure that their new solution basically has the same effect for advertisers as cookies, but with a new fancy name with "privacy" in it (when its anything but).
Google needs to be forced to spin out Chrome to someone else, it is a clear conflict of interest when nearly every (or every? are there any that haven't?) other browser has already taken steps for actual privacy instead of dressing up a new tracking system.
While we wait for this to never happen, we should be encouraging everyone to use any other browser so google doesn't have the marketshare to strong-arm the web anymore.
That doesn't reflect the reality of the situation. Google has been trying to make this transition happen for years. The CMA is the one strong-arming them into maintaining the status quo. The article even mentions 39 new concerns raised which has resulted in yet another extension.
Without this interference, third-party party cookies would have been dead years ago.
It's at least as private as third party cookies. And unlike third party cookies there is a path to improve privacy as technology improves.
Some of the required technologies (private model training, debuggable trusted execution environments) are still research topics, so some sacrifices have to be made until it can be deployed.
Sorry, I'm not a WSJ subscriber. It wouldn't surprise me if Google are being squeezed between two organizations with different goals though.
Ultimately the Privacy Sandbox has dozens of different proposals, and each is on a separate standards track. It's not a singular technology.
I will say that many of the proposals do directly improve user privacy, or offer more-private alternatives to existing APIs. But I'd also be surprised if there weren't objections as well. It's the web, and scrutiny is important.
This isn't Google strong-arming the web. This is Google desperately wanting to turn off third-party cookies, and being told again and again by regulators that they aren't allowed to do so.
Google has strong armed the web in other situations with Chrome, there are multiple cases of them implementing things that google has proposed to w3c but has not been accepted yet.
Regarding this, it's been 4 years. I am not letting google off the hook with this, especially when many other browsers already block third party cookies.
I stand by my opinion that an ad company operating a browser is a clear conflict of interest. If they didn't, this "privacy" feature would never have been a thing and this would have been done years ago.
> there are multiple cases of them implementing things that google has proposed to w3c but has not been accepted yet.
Yes but the question is why is anyone using those things when they are only supported in a single browser? If its not fully supported by the major 4 browsers then its not getting put in my code, simple.
The question that you need to ask is why they desperately want to get rid of them.
The answert is that the solution they are proposing hinders other ad compnies and give google unfair advantage in the ad space. Hence the they are not allowed to do for competition reasons.
In this specific instance, as the article says, the delay is because the CMA (the UK competition authority) needs more time to evalute the feedback from Google's competitors on the proposal.
But regulators from both the US and the EU have made similar statements.
> Google won't roll this out until they are sure that their new solution basically has the same effect for advertisers as cookies
Google actually has interest for new solution having weak performance, since it will shift Ads funds from 3p sites to their own properties(search, youtube, maps) where 3p are not as critical.
Good enough for me. Chrome's implementation of partitioned cookies does not work for our use-case, though Firefox's implementation works well. Google has still got some work to do before they go ahead and break everyone's web apps, in my opinion: https://github.com/privacycg/CHIPS/issues/82
I spent over a week upgrading a project last January, over what was supposed to be my winter break... Had to rewrite some of the core internals from scratch to prepare for this. I'm not saying they weren't good changes, but the urgency is not nice haha.
It would be good to stabilize and have widespread support for CHIPS before disable 3rd party cookies entirely, there are use cases beyond advertising for these.
Embedding content from one site to another like with an iframe, that requires cookie based credentialed login. As far as I’m aware, Cookies are still the safest way to use session tokens and require the browser to keep those hidden from JS environments with http-only, reducing the risk of XSS attacks.
the web version of Microsoft Teams doesn't work with 3rd party cookies disabled. I have been eagerly awaiting this change so I can use browser teams, it is the one thing I care about that doesn't work with 3rd party cookies disabled.
edit: to my surprise apparently web teams (both "old" and "new") no longer needs 3rd party cookies enabled. Last I checked was a few months ago.
The only good thing about Teams is the fact that I can use the web version to join meetings and avoid using Teams.
It had one @&_+ing job...
And they managed to instead product design something with 2 (3?) different chat models, limitations around every corner, an incomplete API for basic use cases (e.g. getting notified of @'s), and an embedded ability to build entire apps inside Teams.
when you set a cookie, by default it sets it at the sub-domain level. You can opt-into setting it at a parent sub-domain (or the root-domain) level if you want.
So for example:
a.foo.com sets cookie X (Set-Cookie: X=value;)
a.foo.com sets a cookie Y on foo.com (Set-Cookie: Y=value; domain=foo.com)
That seems a bit too conspiracy theorist, especially considering most people have 3rd party cookies on and teams has been around for a long time now (I assume before Google announced removing 3rd party cookies)
I think the answer is more banal in that some of their oauth flow runs in a different domain from the main application. I think this is tied to wanting to reuse part of oauth flow in the desktop application.
The funny thing is that they actually have a specific error message for this asking you to enable 3rd party cookies. I guess it is easier than fixing the issue.
"privacy sandbox" is a deceiving name,it is a harmful tracking tech,glad regulators(UK's privacy watchdog ICO) are waking up,but that also means status quo of 3rd party cookies remains until it's fixed https://www.wsj.com/tech/google-cookies-replacement-not-enou...
The main problem with disabling third-party cookies is that for certain applications (especially those using iframes and enterprise apps are full of iframes), the proposed alternatives have bugs.
Interestingly, Firefox does have these bugs, but these apps will not work on Firefox due to other issues.
Actually, it’s not clear whether these are bugs or just different interpretations of the specifications
Dear Internet user, third party cookies are also used be embedded web applications in services such as salesforce. Cookies are not only used for tracking, but also as an example, secure session allowing the bank to secure your login and also the person on the phone when call in helping you via their login. There are decades worth of applications created that likely will not be fixed…
Why should all of Society pay so that Saleforce, a profit-making company, doesn't have to maintain its software?
I have 3rd party cookies as well as all ads and trackers blocked and have no major issues. On the odd occasion a site doesn't work, it doesn't get my business/attention. Non-technical people should be afforded the same protections.
I agree with you, but I do think it's fallacious to zero in on Salesforce in the example. That wasn't (likely) intended as a defense of Salesforce, it was just an example showing that there is a long historical usage of third party cookies that aren't purely for ads and tracking. It's impossible to predict how many things might break for people. For me (a uMatrix user and Firefox user) it will be zero. But for people who work and compute inside a corporate office using internal software that was "optimized for IE 6" but they still need to do their job, and the customers they serve (I have no doubt there would be plenty of government offices that will have to tell citizens who need government services to go pound sand), it will be highly disruptive. Dismissing all of those people and use cases with "who cares about Salesforce" is myopic and (for anyone with decision making ability) deeply irresponsible.
That said, this has been on the table now for years so it's time for the operators of these old apps to feel the heat. The Times They Are A-Changin'
You do not appear to understand the “third party” part of “third party cookies”.
Secure sessions (ie first party cookies) are unaffected. Your bank is likely entirely unaffected beyond whatever tracking cookies they’ve been installing.
These cookies have nothing to do with the people you call into. If the bank’s help desk can access your first party cookies, may God have mercy on them because hackers and the government won’t.
These changes almost entirely affect third party tracking, and the occasional niche, legitimate use case. Those are fairly rare, in my experience. The vast majority of core functionality in applications are fine with only first party cookies.
All Google had to do was not enable 3rd party cookies in chrome. Safari and WebKit by default have always blocked 3rd party cookies by default - literally from day 1 - but google added support for them and enabled them by default because their business model requires spying on users.
If they had just not added this tracking vector in the first place this would not be something to debate.
I was going to make a snarky comment, but I realized it's possible you just don't know how cookies, 3rd party or otherwise, work.
3rd party cookies are the original way advertising companies spied on users, and the only way the vast majority of companies can spy on you. What they do is make is so that when you request a resource you can attach cookies to the request that are not from the domain making the request, so that if you have multiple unrelated sites requesting https://advertiser.com/resource they will share the same cookies and allow the operator of advertiser.com to uniquely identify the same user regardless of the site actually being visited. Wikipedia has a big page on this specific technical concept: https://en.wikipedia.org/wiki/Third-party_cookies
This is what a "3rd party cookie" is in the context of blocking "3rd party cookies", and this is what more or less every browser other than chrome now does (except maybe edge?). Safari has had blocking 3rd party cookies be the default behavior since the very first betas. It was the first browser to do this by years, to this day I'm not sure why Firefox didn't immediately follow suit, but that's something best answered by someone from Mozilla of the era.
The article you're pointing to is discussing a further hardening of the restrictions, ITP, and origin based cookie segregation. These are all increases in the degree to which cookies are blocked, and these are necessary specifically to deal with privacy invasive tracking that companies like google and Facebook are able to do.
For the overwhelming majority of tracking networks simply blocking 3rd party cookies is sufficient. But over the last decade or so companies like Google have aggressively introduced new mechanisms to promote their 3rd party cookies into the sets that can be shared. Google has been very aggressive in this by working extremely hard to get as many webdevs as possible to add spyware to their pages to get "metrics".
There are numerous steps they take - redirect loops were in vogue for a while, i'm not sure what they're doing now - basically trying to either link a cookie from the domain embedding the tracking code to a cookie on the advertisers domain, or promote the "3rd party" domain into being part of the primary site. Defeating that requires cookie segregation (so that every site you visit has a different cookie vault for every different origin it contacts), and things like "tracking protection" which tries to detect sites that are being pinged from many different origins (implying they're for tracking rather than site content) and severely curtailing any cookies for those origins.
The post you linked to is talking about that, and it sounds like an end game step which is that loads to any resource from a different origin gets no cookie state at all, which historically didn't seem possible due to many weird ways sites managed account login and the like but maybe things have changed since then.
This world of cookie segregation and tracking prevention is _significantly_ stricter and more powerful protection, and is far beyond the "3rd party cookie blocking" that google is still delaying to this day, and has been something safari and Firefox have been doing for years, but it came after, and in response to, companies like google trying to circumvent the privacy provided by 3rd party cookie blocking.
This is also why google is now talking about blocking 3rd party cookies - they've spent more than a decade come up with ways to track people in spite of 3rd party cookie blocking, and they have no implemented any of the privacy protections Firefox and safari have been shipping for years (nor is chrome likely to implement anything of the kind). Google (and FB, etc) are in a position where they can do this, but smaller advertising networks can't (google has tracking code on almost every page as part of their "we'll provide you with analytics/metrics" scam).
The article is literally about blocking third party cookies by default. They also introduced some other things, but before the release in that article, they were not blocking third party cookies by default.
In Safari, if you loaded a pixel from https://advertiser.com/resource that was referenced on different sites, advertiser.com would get the same cookie. This is still true. What blocking third party cookies means is that advertiser.com can't set a cookie when its pixel is loaded from another website. Safari didn't even think to implement it until Chrome announced that they would do it and worked with web publishers to migrate away. As far as sending cookies to a different origin, Safari didn't even support the SameSite attribute until 2019, three years after Chrome and one year after Firefox. It's not for nothing that Safari gained its reputation for being slow at adopting web standards.
It looks to me that the only reason Google is pursuing "Privacy Sandbox" is because Chrome dominates the browser marketplace. (I put it in quotes because it neither preserves privacy, nor is it a sandbox). If I don't want 3rd-party cookies (I don't!) then I just toggle them off in Firefox. Sandbox is opaque in the sense that ordinary users can't hope to understand it; and a privacy guarantee is useless, if the user can't understand it. WTF is k-anonymity? I looked it up on Wikipedia, and I still don't understand it.
I guess that's why the Competition and Markets Authority is involved.
K-anonymity is where you determine that you need at least K individuals in a group with a certain number of shared personal information such that you can't identify individuals within that group. For example, people >2m tall with January birthdays who's favorite color is red. If there was only one person in that group then you could identify them, so you shouldn't use that grouping. But if there are 1000 people in that group (in your dataset), then you can't ID them, so it's okay.
k-anonymity means there must be at least k persons (or similar) that have identical data in the dataset. E.g. with k=5 there has to be at least 5 rows for each unique set of column values.
It's easily broken if multiple such datasets are combined. And that's probably exactly what the commercial surveillance industry does.
When I was young and I did not understand much about computers, and Chromium was also young, I was receiving a somewhat local paper magazine about computers.
This magazine had their OWN branded browser, based on Chromium and many used that.
Why don't they just unilaterally disable third-party cookies by default without providing any replacement? The only slightly valuable functionality that would be lost would be authentication in comment widgets like Disqus.
Ah, right, the makers of the world's most popular web browser are also the world's most profitable online advertising company, that's why.
I do love when rhetorical questions actually have a simple answer. I'll admit I had a similar thought as GP (though I wouldn't have posted that thought as a comment without at least taking a look to verify my assumptions). I'm glad to see that it isn't a simple conflict-of-interest with their business that is holding it up.
A great pro-tip I try to follow (but sometimes fail since this is human nature): don't make assumptions, and don't be over-confident if you don't know. It can be especially embarrassing if TFA is quite short and well covered
I think the CMA does think it's a conflict of interest which is why they are stepping in. It seems like they think it's in Google's favor to remove third party cookies without a replacement.
Thanks that is interesting. To be clear though I meant a conflict-of-interest inside of Google. E.g. the ad division influencing the browser division to slow the roll to avoid damaging revenues/sales.
But I hadn't even considered that this might benefit Google, but that certainly makes sense! I'm grateful for good old British skepticism :-) Looking forward to their findings.
That's not what the article says. The CMA is intervening based on their plan of replacing cookies with Topics (née FLoC). If they just wanted to drop 3p cookies without a replacement, they could.
Hahaha...Oh, you're serious. Let me laugh harder...
The CMA has specifically mentioned that just blocking 3rd party cookies would provide Google an unfair competitive advantage because their large web presence allows them to develop better user advertising profiles based on just first party information. Advertisers without a large first party user base (because they only do advertising) would not be able to develop user profiles.
The whole privacy sandbox effort it's supposed to level the playing field between large content providers that are also advertisers (Google, Facebook, etc) and providers that only do advertising (Criteo, RTBHouse, etc). Google couldn't drop 3rd party cookies support without Privacy Sandbox.
I couldn't find a citation via google but perplexity helped me find [0] which does state your point clearly. So why are they allowed to have disabling them as an option at all? Since by that argument, customers that disable for privacy, further entrench google.
>If they just wanted to drop 3p cookies without a replacement, they could.
That's debatable, but I doubt that's the case. The CMA isn't a privacy organization; they deal with monopolies. They're intervening at the behest of other advertisers who are concerned that they'll lose the ability to adequately track users under the Privacy Sandbox proposal. The CMA's chief concern is that everybody is on equal footing.
The alternatives proposed for more private ad targeting have gone through multiple evolutions, including FLoC and Topics, but these were created largely in response to the CMA's objections.
The CMA is a UK-only body. Why would this hold up a commitment to remove 3P cookies globally?
Sounds like a very flimsy excuse, Safari has blocked 3PC by default for years, so the restriction would apply to iOS Chrome as well. Didn't need the UK to sign off on it.
Meanwhile, in the Chrome MV2 -> MV3 extension saga, it seems like June 2024 is the newest new date in which MV2 may be phased out in pre-stable versions of Chrome.
I have a Manifest V2 extension in the Chrome Web Store that has a "featured" badge, and Google has been sending me emails that feel a bit coercive:
> To maintain your extension's Featured status, you will need to migrate it to Manifest V3 by June 3rd. [...] Extensions that do not complete this transition will see their Featured badge removed
> Manifest Version 3 extensions will be prioritized in the Chrome Web Store, including in search results and recommendations
> Beginning June of this year, we will begin to gradually disable extensions running Manifest V2 for Chrome users
> Thank you for your cooperation and participation in the Chrome extension ecosystem.
I am really dismayed that an advertising company has such a stranglehold on the web. They are not good custodians.
The browser extension I created, and presumably many others, will see no benefit from this forced change. To the contrary, Manifest V3 will hinder the functionality of some extensions, including the widely used and beloved uBlock Origin[1].
Nevertheless, if I wish to keep my extension in the Chrome Web Store, and keep it working in Chrome browsers, I am required to bend to Google's demands and spend a considerable chunk of my time to perform this unnecessary update. And it must be done NOW!, with an artificial sense of urgency. Time is precious, and I'd really rather not donate mine to a multibillion dollar advertising corporation. Google is the primary beneficiary of Manifest V3. They are demonstrating why they abandoned their "Don't be evil" mantra[2].
My browser extension doesn't make money. I made it purely to improve my own browsing experience, and shared it for free with others. It's working fine on Manifest V2, and has done so for years. I have no desire to learn Google's crappy new implementation.
I pay for Youtube Premium, which uses third-party cookies to not show ads on embedded videos.
https://privacysandbox.com talks about advertising, but not "logged in elsewhere" functionality. Does Youtube or Google have something ready, or will all Youtube Premium subscribers see ads on embedded videos?
There is also a Federated Credential Management (FedCN) API coming in, that should help somewhat.
https://developer.mozilla.org/en-US/docs/Web/API/FedCM_API
Thank you! Will look!
> Youtube Premium, which uses third-party cookies to not show ads on embedded videos
The third party cookies don't control ads in embedded videos, there are currently no ads in embedded videos whether you have paid for premium or not.
I have a bookmarklet that converts a youtube page to an embed for this reason, for when I get sick of seeing the same couple of adverts on a loop.
I see ads in YouTube embeds all the time.
I can't say I remember doing so, unless you count sponsor segments and other inline ads like those at the end of most clips.
I certainly don't when using the inline-from-youtube-itself-via-bookmarklet trick.
It's whitelisted based on the embedding domain.
https://support.google.com/youtube/answer/132596
>Ads appear on brand safe sites: YouTube works diligently so that our advertisers' brands appear on sites that reflect our respective core values. Our systems closely evaluate websites and their content against various factors when finding out whether to turn on In-stream ads on YouTube embeds. These factors include a strict set of guidelines on content like adult imagery, violence, inappropriate and hateful language, and sites that promote infringement.
The recommended solution for embedded content is the Storage Access API, which has broad browser support. (I don't know that YouTube has implemented it yet, but I'd be surprised if it's not there soon.)
https://developer.mozilla.org/en-US/docs/Web/API/Storage_Acc...
https://developers.google.com/privacy-sandbox/3pcd/storage-a...
The Storage Access API is an unmitigated pile of garbage. Google's page on it admits as much (https://developers.google.com/privacy-sandbox/3pcd/storage-a...).
From Google's own page: "Work is continuing to resolve all remaining blocking issues, before standardizing the API."
Oh, that's worrisome. I'm trying to implement it in our embedded content soon, because some of our customers got caught up in Chrome's third party cookie blocking 1% trial that started a week or two ago.
Any specific problems you ran into that you could share?
Perhaps they should switch to first party cookies?
How would that work on embedded videos on sites outside of YouTube/Google, which is what the parent comment is talking about?
Aren't those just iframes, which is effectively just youtube loading inside an existing web page instead of its own tab. I would assume first party cookies would work just fine for this.
Nope, an iframe on an unrelated site is exactly what turns it into a third party cookie. (The user and the site they're visiting are the first two parties; the embedded site is the third party.)
Put another way, an ad iframe loading a tracking (identity) cookie is indistinguishable from a YouTube iframe loading a login (identity) cookie.
i still don't follow. i guess my point is, when an embedded video loads for me, youtube still knows that it's me. it gives me the same recommended videos i'd get if i were on youtube.com directly. so i assume since i pay for premium, it'd also skip ads on embedded videos too. i wouldnt know because i use ublock.
> when an embedded video loads for me, youtube still knows that it's me
If/when third party cookie blocking is fully deployed, this won't be true. Your browser won't send YouTube's session cookie to YouTube when it's loaded in an iframe on an unrelated site, so YouTube won't know you're a premium user.
i appreciate the explanation! thanks!
Previous discussion on an older decision in 2021 to extend the deadline to 2023: https://news.ycombinator.com/item?id=27617620
I am not convinced this is ever going to actually happen. Google won't roll this out until they are sure that their new solution basically has the same effect for advertisers as cookies, but with a new fancy name with "privacy" in it (when its anything but).
Google needs to be forced to spin out Chrome to someone else, it is a clear conflict of interest when nearly every (or every? are there any that haven't?) other browser has already taken steps for actual privacy instead of dressing up a new tracking system.
While we wait for this to never happen, we should be encouraging everyone to use any other browser so google doesn't have the marketshare to strong-arm the web anymore.
That doesn't reflect the reality of the situation. Google has been trying to make this transition happen for years. The CMA is the one strong-arming them into maintaining the status quo. The article even mentions 39 new concerns raised which has resulted in yet another extension.
Without this interference, third-party party cookies would have been dead years ago.
Privacy sandbox is not private, that's why ICO(UK's privacy watchdog) raised concerns,https://www.wsj.com/tech/google-cookies-replacement-not-enou...
It's at least as private as third party cookies. And unlike third party cookies there is a path to improve privacy as technology improves.
Some of the required technologies (private model training, debuggable trusted execution environments) are still research topics, so some sacrifices have to be made until it can be deployed.
Sorry, I'm not a WSJ subscriber. It wouldn't surprise me if Google are being squeezed between two organizations with different goals though.
Ultimately the Privacy Sandbox has dozens of different proposals, and each is on a separate standards track. It's not a singular technology.
I will say that many of the proposals do directly improve user privacy, or offer more-private alternatives to existing APIs. But I'd also be surprised if there weren't objections as well. It's the web, and scrutiny is important.
This isn't Google strong-arming the web. This is Google desperately wanting to turn off third-party cookies, and being told again and again by regulators that they aren't allowed to do so.
Google has strong armed the web in other situations with Chrome, there are multiple cases of them implementing things that google has proposed to w3c but has not been accepted yet.
Regarding this, it's been 4 years. I am not letting google off the hook with this, especially when many other browsers already block third party cookies.
I stand by my opinion that an ad company operating a browser is a clear conflict of interest. If they didn't, this "privacy" feature would never have been a thing and this would have been done years ago.
> there are multiple cases of them implementing things that google has proposed to w3c but has not been accepted yet.
Yes but the question is why is anyone using those things when they are only supported in a single browser? If its not fully supported by the major 4 browsers then its not getting put in my code, simple.
But isn't that a direct by-product of Chrome being owned by Google.
If Chrome was made by an independent company regulators couldn't care less if they disabled third party cookies.
We honestly can't know whether the regulators would care, or whether they would be making different decisions.
But that counterfactual seems totally irrelevant to the claims the GP was making?
We actually do since other browsers have blocked third party cookies for a several years now.
The question that you need to ask is why they desperately want to get rid of them.
The answert is that the solution they are proposing hinders other ad compnies and give google unfair advantage in the ad space. Hence the they are not allowed to do for competition reasons.
Who regulates 3rd party cookies (aside from Warren G)?
In this specific instance, as the article says, the delay is because the CMA (the UK competition authority) needs more time to evalute the feedback from Google's competitors on the proposal.
But regulators from both the US and the EU have made similar statements.
> Google won't roll this out until they are sure that their new solution basically has the same effect for advertisers as cookies
Google actually has interest for new solution having weak performance, since it will shift Ads funds from 3p sites to their own properties(search, youtube, maps) where 3p are not as critical.
Totally. They do that with PAIR nowadays.
Good enough for me. Chrome's implementation of partitioned cookies does not work for our use-case, though Firefox's implementation works well. Google has still got some work to do before they go ahead and break everyone's web apps, in my opinion: https://github.com/privacycg/CHIPS/issues/82
One additonal security mechanism you might suggest:
The opener specifically whitelists the embeder's domain in a response header.
I spent over a week upgrading a project last January, over what was supposed to be my winter break... Had to rewrite some of the core internals from scratch to prepare for this. I'm not saying they weren't good changes, but the urgency is not nice haha.
That's just poor time management though
I don't know why you're downvoted, the original deadline was set for January 2020.
It would be good to stabilize and have widespread support for CHIPS before disable 3rd party cookies entirely, there are use cases beyond advertising for these.
https://developer.mozilla.org/en-US/docs/Web/Privacy/Privacy...
What are the use cases beyond tracking that make the tradeoff worth having 3rd party cookies?
Embedding content from one site to another like with an iframe, that requires cookie based credentialed login. As far as I’m aware, Cookies are still the safest way to use session tokens and require the browser to keep those hidden from JS environments with http-only, reducing the risk of XSS attacks.
the web version of Microsoft Teams doesn't work with 3rd party cookies disabled. I have been eagerly awaiting this change so I can use browser teams, it is the one thing I care about that doesn't work with 3rd party cookies disabled.
edit: to my surprise apparently web teams (both "old" and "new") no longer needs 3rd party cookies enabled. Last I checked was a few months ago.
The only good thing about Teams is the fact that I can use the web version to join meetings and avoid using Teams.
It had one @&_+ing job...
And they managed to instead product design something with 2 (3?) different chat models, limitations around every corner, an incomplete API for basic use cases (e.g. getting notified of @'s), and an embedded ability to build entire apps inside Teams.
One-to-one calls won't work on web Teams for me using Firefox, but group calls will, for some reason.
It is annoying, but Firefox asks if you want to allow to use the 3rd party cookies for specific domain.
Example of how it looks:
https://hacks.mozilla.org/files/2021/02/Screenshot-2021-02-0...
In the example, the 3rd party is a sub-domain name. Are sub-domains treated the same as unqualified, "second level" domain names?
https://en.m.wikipedia.org/wiki/Domain_name
when you set a cookie, by default it sets it at the sub-domain level. You can opt-into setting it at a parent sub-domain (or the root-domain) level if you want.
So for example:
a.foo.com sets cookie X (Set-Cookie: X=value;)
a.foo.com sets a cookie Y on foo.com (Set-Cookie: Y=value; domain=foo.com)
b.foo.com can read Y, but can not read X
You could use Multi-Account Containers in Firefox for MS Browser Teams, to keep their 3rd party cookies contained to themselves (and thus useless).
I use Brave, when I want to use browser teams I just open another browser exclusively for that.
Pure speculation, but maybe there's more to this. If Teams refuses to work in Chrome, it might drive run of the mill employees to Edge?
On Windows I have switched to Edge for Teams.
That seems a bit too conspiracy theorist, especially considering most people have 3rd party cookies on and teams has been around for a long time now (I assume before Google announced removing 3rd party cookies)
I think the answer is more banal in that some of their oauth flow runs in a different domain from the main application. I think this is tied to wanting to reuse part of oauth flow in the desktop application.
The auth flow for Teams has always been very buggy so that is a good guess.
The funny thing is that they actually have a specific error message for this asking you to enable 3rd party cookies. I guess it is easier than fixing the issue.
Microsoft auth flows are such a dumpster fire that it makes me curious about how it got to be that way.
> That seems a bit too conspiracy theorist
Remember "DOS Isn’t Done Until Lotus Won’t Run"?
That large companies do self-serving underhanded tricks is not a conspiracy, just yet another Monday in the office.
> This is the third time Google has pushed back its original deadline set in January 2020.
What a joke!
Dear CMA, Can you please let Google do the right thing and disable third party cookies like every other browser vendor.
"privacy sandbox" is a deceiving name,it is a harmful tracking tech,glad regulators(UK's privacy watchdog ICO) are waking up,but that also means status quo of 3rd party cookies remains until it's fixed https://www.wsj.com/tech/google-cookies-replacement-not-enou...
Per my understanding, privacy sandbox has been rolled out for a long time already. There is no reason to still keep third party cookies around.
The main problem with disabling third-party cookies is that for certain applications (especially those using iframes and enterprise apps are full of iframes), the proposed alternatives have bugs.
Interestingly, Firefox does have these bugs, but these apps will not work on Firefox due to other issues.
Actually, it’s not clear whether these are bugs or just different interpretations of the specifications
Enterprises can allow third party cookies via browser policy.[1]
[1] https://chromeenterprise.google/policies/#BlockThirdPartyCoo...
So companies need to pay for Chrome Enterprise Premium? Great!
No, you don't need Chrome Enterprise Premium for browser policy/management.[1]
[1] https://chromeenterprise.google/products/chrome-enterprise-p...
I think the concern is that it will make Ads on non-google websites much less efficient and will seriously damage all other companies.
Dear Internet user, third party cookies are also used be embedded web applications in services such as salesforce. Cookies are not only used for tracking, but also as an example, secure session allowing the bank to secure your login and also the person on the phone when call in helping you via their login. There are decades worth of applications created that likely will not be fixed…
Why should all of Society pay so that Saleforce, a profit-making company, doesn't have to maintain its software?
I have 3rd party cookies as well as all ads and trackers blocked and have no major issues. On the odd occasion a site doesn't work, it doesn't get my business/attention. Non-technical people should be afforded the same protections.
I agree with you, but I do think it's fallacious to zero in on Salesforce in the example. That wasn't (likely) intended as a defense of Salesforce, it was just an example showing that there is a long historical usage of third party cookies that aren't purely for ads and tracking. It's impossible to predict how many things might break for people. For me (a uMatrix user and Firefox user) it will be zero. But for people who work and compute inside a corporate office using internal software that was "optimized for IE 6" but they still need to do their job, and the customers they serve (I have no doubt there would be plenty of government offices that will have to tell citizens who need government services to go pound sand), it will be highly disruptive. Dismissing all of those people and use cases with "who cares about Salesforce" is myopic and (for anyone with decision making ability) deeply irresponsible.
That said, this has been on the table now for years so it's time for the operators of these old apps to feel the heat. The Times They Are A-Changin'
You do not appear to understand the “third party” part of “third party cookies”.
Secure sessions (ie first party cookies) are unaffected. Your bank is likely entirely unaffected beyond whatever tracking cookies they’ve been installing.
These cookies have nothing to do with the people you call into. If the bank’s help desk can access your first party cookies, may God have mercy on them because hackers and the government won’t.
These changes almost entirely affect third party tracking, and the occasional niche, legitimate use case. Those are fairly rare, in my experience. The vast majority of core functionality in applications are fine with only first party cookies.
All Google had to do was not enable 3rd party cookies in chrome. Safari and WebKit by default have always blocked 3rd party cookies by default - literally from day 1 - but google added support for them and enabled them by default because their business model requires spying on users.
If they had just not added this tracking vector in the first place this would not be something to debate.
Literally from day 6,286: https://webkit.org/blog/10218/full-third-party-cookie-blocki...
Did Safari also originally enable third party cookies by default for the purpose of enabling spying on its users?
I was going to make a snarky comment, but I realized it's possible you just don't know how cookies, 3rd party or otherwise, work.
3rd party cookies are the original way advertising companies spied on users, and the only way the vast majority of companies can spy on you. What they do is make is so that when you request a resource you can attach cookies to the request that are not from the domain making the request, so that if you have multiple unrelated sites requesting https://advertiser.com/resource they will share the same cookies and allow the operator of advertiser.com to uniquely identify the same user regardless of the site actually being visited. Wikipedia has a big page on this specific technical concept: https://en.wikipedia.org/wiki/Third-party_cookies
This is what a "3rd party cookie" is in the context of blocking "3rd party cookies", and this is what more or less every browser other than chrome now does (except maybe edge?). Safari has had blocking 3rd party cookies be the default behavior since the very first betas. It was the first browser to do this by years, to this day I'm not sure why Firefox didn't immediately follow suit, but that's something best answered by someone from Mozilla of the era.
The article you're pointing to is discussing a further hardening of the restrictions, ITP, and origin based cookie segregation. These are all increases in the degree to which cookies are blocked, and these are necessary specifically to deal with privacy invasive tracking that companies like google and Facebook are able to do.
For the overwhelming majority of tracking networks simply blocking 3rd party cookies is sufficient. But over the last decade or so companies like Google have aggressively introduced new mechanisms to promote their 3rd party cookies into the sets that can be shared. Google has been very aggressive in this by working extremely hard to get as many webdevs as possible to add spyware to their pages to get "metrics".
There are numerous steps they take - redirect loops were in vogue for a while, i'm not sure what they're doing now - basically trying to either link a cookie from the domain embedding the tracking code to a cookie on the advertisers domain, or promote the "3rd party" domain into being part of the primary site. Defeating that requires cookie segregation (so that every site you visit has a different cookie vault for every different origin it contacts), and things like "tracking protection" which tries to detect sites that are being pinged from many different origins (implying they're for tracking rather than site content) and severely curtailing any cookies for those origins.
The post you linked to is talking about that, and it sounds like an end game step which is that loads to any resource from a different origin gets no cookie state at all, which historically didn't seem possible due to many weird ways sites managed account login and the like but maybe things have changed since then.
This world of cookie segregation and tracking prevention is _significantly_ stricter and more powerful protection, and is far beyond the "3rd party cookie blocking" that google is still delaying to this day, and has been something safari and Firefox have been doing for years, but it came after, and in response to, companies like google trying to circumvent the privacy provided by 3rd party cookie blocking.
This is also why google is now talking about blocking 3rd party cookies - they've spent more than a decade come up with ways to track people in spite of 3rd party cookie blocking, and they have no implemented any of the privacy protections Firefox and safari have been shipping for years (nor is chrome likely to implement anything of the kind). Google (and FB, etc) are in a position where they can do this, but smaller advertising networks can't (google has tracking code on almost every page as part of their "we'll provide you with analytics/metrics" scam).
The article is literally about blocking third party cookies by default. They also introduced some other things, but before the release in that article, they were not blocking third party cookies by default.
In Safari, if you loaded a pixel from https://advertiser.com/resource that was referenced on different sites, advertiser.com would get the same cookie. This is still true. What blocking third party cookies means is that advertiser.com can't set a cookie when its pixel is loaded from another website. Safari didn't even think to implement it until Chrome announced that they would do it and worked with web publishers to migrate away. As far as sending cookies to a different origin, Safari didn't even support the SameSite attribute until 2019, three years after Chrome and one year after Firefox. It's not for nothing that Safari gained its reputation for being slow at adopting web standards.
Die a hero or live to see yourself become a villain.
It looks to me that the only reason Google is pursuing "Privacy Sandbox" is because Chrome dominates the browser marketplace. (I put it in quotes because it neither preserves privacy, nor is it a sandbox). If I don't want 3rd-party cookies (I don't!) then I just toggle them off in Firefox. Sandbox is opaque in the sense that ordinary users can't hope to understand it; and a privacy guarantee is useless, if the user can't understand it. WTF is k-anonymity? I looked it up on Wikipedia, and I still don't understand it.
I guess that's why the Competition and Markets Authority is involved.
K-anonymity is where you determine that you need at least K individuals in a group with a certain number of shared personal information such that you can't identify individuals within that group. For example, people >2m tall with January birthdays who's favorite color is red. If there was only one person in that group then you could identify them, so you shouldn't use that grouping. But if there are 1000 people in that group (in your dataset), then you can't ID them, so it's okay.
k-anonymity means there must be at least k persons (or similar) that have identical data in the dataset. E.g. with k=5 there has to be at least 5 rows for each unique set of column values.
It's easily broken if multiple such datasets are combined. And that's probably exactly what the commercial surveillance industry does.
Google delays third-party cookie demise in the Chrome browser yet again. Nothing is stopping anyone else from turning off third party cookies.
Defaults matter. 95% of people don't change defaults.
Chrome is not the default on anything other than android and ChromeOS. Yet it's quite popular to use chrome on Mac, Windows, Linux, and iOS.
When I was young and I did not understand much about computers, and Chromium was also young, I was receiving a somewhat local paper magazine about computers.
This magazine had their OWN branded browser, based on Chromium and many used that.
Now that I think about, what a gigachad magazine.
Chrome is the "default" on Google and Google is the default search engine for most people.
I wonder if that's due to marketshare. Chrome is so dominant, maybe it's the only browser that really matters these days?
Why don't they just unilaterally disable third-party cookies by default without providing any replacement? The only slightly valuable functionality that would be lost would be authentication in comment widgets like Disqus.
Ah, right, the makers of the world's most popular web browser are also the world's most profitable online advertising company, that's why.
>Why don't they just unilaterally disable third-party cookies by default without providing any replacement?
It's explained in the article, and below in this thread. They legally cannot due to intervention from the CMA.
I do love when rhetorical questions actually have a simple answer. I'll admit I had a similar thought as GP (though I wouldn't have posted that thought as a comment without at least taking a look to verify my assumptions). I'm glad to see that it isn't a simple conflict-of-interest with their business that is holding it up.
A great pro-tip I try to follow (but sometimes fail since this is human nature): don't make assumptions, and don't be over-confident if you don't know. It can be especially embarrassing if TFA is quite short and well covered
I think the CMA does think it's a conflict of interest which is why they are stepping in. It seems like they think it's in Google's favor to remove third party cookies without a replacement.
Thanks that is interesting. To be clear though I meant a conflict-of-interest inside of Google. E.g. the ad division influencing the browser division to slow the roll to avoid damaging revenues/sales.
But I hadn't even considered that this might benefit Google, but that certainly makes sense! I'm grateful for good old British skepticism :-) Looking forward to their findings.
More importantly, it is also in customers favor to remove third party cookies.
That's not what the article says. The CMA is intervening based on their plan of replacing cookies with Topics (née FLoC). If they just wanted to drop 3p cookies without a replacement, they could.
Hahaha...Oh, you're serious. Let me laugh harder...
The CMA has specifically mentioned that just blocking 3rd party cookies would provide Google an unfair competitive advantage because their large web presence allows them to develop better user advertising profiles based on just first party information. Advertisers without a large first party user base (because they only do advertising) would not be able to develop user profiles.
The whole privacy sandbox effort it's supposed to level the playing field between large content providers that are also advertisers (Google, Facebook, etc) and providers that only do advertising (Criteo, RTBHouse, etc). Google couldn't drop 3rd party cookies support without Privacy Sandbox.
I couldn't find a citation via google but perplexity helped me find [0] which does state your point clearly. So why are they allowed to have disabling them as an option at all? Since by that argument, customers that disable for privacy, further entrench google.
[0] https://www.adexchanger.com/marketers/the-uks-cma-wants-ad-t...
>If they just wanted to drop 3p cookies without a replacement, they could.
That's debatable, but I doubt that's the case. The CMA isn't a privacy organization; they deal with monopolies. They're intervening at the behest of other advertisers who are concerned that they'll lose the ability to adequately track users under the Privacy Sandbox proposal. The CMA's chief concern is that everybody is on equal footing.
The alternatives proposed for more private ad targeting have gone through multiple evolutions, including FLoC and Topics, but these were created largely in response to the CMA's objections.
The CMA is a UK-only body. Why would this hold up a commitment to remove 3P cookies globally?
Sounds like a very flimsy excuse, Safari has blocked 3PC by default for years, so the restriction would apply to iOS Chrome as well. Didn't need the UK to sign off on it.
https://webkit.org/tracking-prevention/#intelligent-tracking...
Meanwhile, in the Chrome MV2 -> MV3 extension saga, it seems like June 2024 is the newest new date in which MV2 may be phased out in pre-stable versions of Chrome.
https://developer.chrome.com/blog/resuming-the-transition-to...
At least, to Google's credit, they're starting to listen to users who give them solid reasons why a surprise migration isn't feasible... tomorrow.
I have a Manifest V2 extension in the Chrome Web Store that has a "featured" badge, and Google has been sending me emails that feel a bit coercive:
> To maintain your extension's Featured status, you will need to migrate it to Manifest V3 by June 3rd. [...] Extensions that do not complete this transition will see their Featured badge removed
> Manifest Version 3 extensions will be prioritized in the Chrome Web Store, including in search results and recommendations
> Beginning June of this year, we will begin to gradually disable extensions running Manifest V2 for Chrome users
> Thank you for your cooperation and participation in the Chrome extension ecosystem.
I am really dismayed that an advertising company has such a stranglehold on the web. They are not good custodians.
Would you rather they deprecate manifest v2 without reaching out to developers to migrate?
The browser extension I created, and presumably many others, will see no benefit from this forced change. To the contrary, Manifest V3 will hinder the functionality of some extensions, including the widely used and beloved uBlock Origin[1].
Nevertheless, if I wish to keep my extension in the Chrome Web Store, and keep it working in Chrome browsers, I am required to bend to Google's demands and spend a considerable chunk of my time to perform this unnecessary update. And it must be done NOW!, with an artificial sense of urgency. Time is precious, and I'd really rather not donate mine to a multibillion dollar advertising corporation. Google is the primary beneficiary of Manifest V3. They are demonstrating why they abandoned their "Don't be evil" mantra[2].
My browser extension doesn't make money. I made it purely to improve my own browsing experience, and shared it for free with others. It's working fine on Manifest V2, and has done so for years. I have no desire to learn Google's crappy new implementation.
[1] https://www.androidauthority.com/google-chrome-manifest-v3-c...
[2] https://gizmodo.com/google-removes-nearly-all-mentions-of-do...
Or maybe the alternative to coercion isn't to communicate better but not to deprecate?