Vlas Bashynskyi

Third Party Cookies Blocked - Explained

If you are using Google Chrome or a different Chromium based browser, you may have seen a warning recently that says something about third party cookies being blocked. In this post I explain what that means, what third party cookies are and why they weren't invited to our party.

What Are Third Party Cookies?

Let's say that you're visiting https://example.com. Let's say that website makes an ajax request to https://example.com/init.php and that request has a set-cookie header. Cookies created with that set-cookie header are first-party cookies because the origin of that ajax request are the same as the hostname of the page that triggered that request.

Now let's say that the same page ( https://example.com ) is using a service to show users funny gifs and it is making a request to https://example-website-with-gifs.com/get-gifs.php to fetch information about what gifs to show. If that request returns a set-cookie header - that cookie will be considered third-party, because it originated from a different origin.

Third-party cookie deprecation

Because of the recent changes to the google chrome browser, these third party cookies will not be allowed by default.

You can read more about it here: Prepare for phasing out third-party cookies and here: Storage Partitioning.

What does this mean for chrome extension development?

If your chrome extension was relying on injecting an iframe that is hosted on a third-party origin and cookies or local storage to store user's access tokens and session data - that will not work anymore. The solution is to start using chrome.storage.local instead.