Cookies Having Independent Partitioned State (CHIPS) specification review

[DCtheTall]

Wotcher TAG!

I'm requesting a TAG review of CHIPS.

Given that browsers plan on deprecating or already have deprecated unpartitioned third-party cookies, we want to give developers the ability to use cookies in cross-site contexts that are partitioned by top-level site to meet cookie use cases that are not cross-site tracking related (e.g. SaaS embeds, headless CMS, sandbox domains, etc.). In order to do so, we introduce a mechanism to opt-in to having their third-party cookies partitioned by top-level site using a new cookie attribute, Partitioned.

• Explainer¹ (minimally containing user needs and example code): https://github.com/privacycg/CHIPS
• Specification URL: https://github.com/DCtheTall/CHIPS-spec
• Tests: https://github.com/web-platform-tests/wpt/tree/master/cookies/partitioned-cookies
• User research: N/A
• Security and Privacy self-review²: https://github.com/privacycg/CHIPS/blob/main/TAG-S%26P-questionnaire.md
• GitHub repo (if you prefer feedback filed there): https://github.com/privacycg/CHIPS/issues/
• Primary contacts (and their relationship to the specification):
  • Dylan Cutler (DCtheTall), Google Chrome
  • Kaustubha Govind (krgovind) Google Chrome
• Organization(s)/project(s) driving the specification: Google / Privacy Sandbox
• Key pieces of existing multi-stakeholder review or discussion of this specification:
  • https://github.com/privacycg/CHIPS/issues/
  • Cookies Having Independent Partitioned State (CHIPS) #654
• External status/issue trackers for this specification (publicly visible, e.g. Chrome Status): https://chromestatus.com/feature/5179189105786880

Further details:

• I have reviewed the TAG's Web Platform Design Principles
• Relevant time constraints or deadlines: N/A
• The group where the work on this specification is currently being done: Google / Privacy Sandbox
• The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue): PrivacyCG
• Major unresolved issues with or opposition to this specification: N/A
• This work is being funded by: Google

You should also know that...

Early review of CHIPS concluded that CHIPS was privacy positive.

We'd prefer the TAG provide feedback as (please delete all but the desired option):

🐛 open issues in our GitHub repo for each point of feedback

[torgo]

Hi @DCtheTall thanks for this - we're happy to do another look and provide feedback. Can you please point us to a list of changes that have happened to the spec since the previous review, or otherwise let us know what those have been? Can you also provide some additional evidence on multi-stakeholder support? We're specifically looking for support / interest from other browsers and browser engine makers. Thanks! ✨

[torgo]

Follow-up: we found: Mozilla Standards Position and Webkit position…

[johannhof]

Hi @torgo, thank you for taking another look! This is the list of substantial changes from the previous proposal:

• The Partitioned attribute no longer requires the __Host- prefix or its required attributes. The Secure requirement remains. See Using HOST- prefix as a requirement seems like a bad idea / might not be possible to do privacycg/CHIPS#30
• We are changing the per-partition-per-domain limit to be based on the total size (in bytes) of the cookies set by a domain in a particular partition in addition to the number of cookies. We intend to impose a limit of 10 KB per-embedded-site, per-top-level-site and increase the numeric limit from 10 to 180. See 10 cookies per cookie jar limit privacycg/CHIPS#48
• For sites embedded in top-level domains that are in a First-Party Set, their cookies' partition key will no longer be the owner domain of that set. Rather, the partition key will always be the top-level domain that the cookie was created on. See Remove First-Party Sets from CHIPS design privacycg/CHIPS#44

[rhiaro]

Thanks for that information @johannhof that's really helpful. In general we're in favour of the trajectory of the spec, and appreciate seeing the thoughtful discussions you're having with other stakeholders.

I note that the Security and Privacy questionnaire hasn't been updated in line with the changes you've made. Eg. it says:

In order to prevent PII from leaking, this proposal requires that cookies which use the Partitioned attribute also have the __Host- prefix.

Are you able to do a pass and update this please?

[DCtheTall]

Good catch, thanks @rhiaro!

I have uploaded a PR to update the S&P questionnaire.

[rhiaro]

Thanks @DCtheTall - is 2.3 in the S&P questionnaire also affected?

[torgo]

@DCtheTall thanks for posting these updates. We're going to go ahead and close this one. Please feed back here on the Security & Privacy Questionnaire responses that @rhiaro mentioned when you can.