The End Of Third Party Cookies On The Web

Safari Is Serious

I’ve been dealing with the fallout of Safari ITP ( Intelligent Tracking Prevention ) since mid-2018. It hasn’t been an easy road, ITP dramatically limits the range of valid uses of third party cookies, and even for the remaining valid uses it required following a strict set of rules.

As a user of the web, I liked what ITP was doing. As a developer, it made things difficult. Kudos to John Wilander on the WebKit team for taking the time to answer my questions.

I could see that Apple was serious about this. While I didn’t have any inside information as to what all of the browser vendors were planning, I strongly suspected that they would have no choice but to follow suit. I commented to a co-worker:

Remember how happy people where when browsers started blocking pop-up ads? This could go down a similar road.

The details of ITP changed over time, as Apple saw what sites were doing with the new restrictions. During the summer of 2019 Apple published the WebKit Tracking Prevention – which made it clear that they were serious, and going to push things even further:

There are practices on the web that we do not intend to disrupt, but which may be inadvertently affected because they rely on techniques that can also be used for tracking. We consider this to be unintended impact.

When faced with a tradeoff, we will typically prioritize user benefits over preserving current website practices. We believe that that is the role of a web browser, also known as the user agent.

Safari Tech Preview already has an experimental feature for disabling all third party cookies.

Chrome Samesite and Firefox ETP

In 2019 Chrome announced they were going to add support for a new SameSite cookie value: None. SameSite=None changes how Chrome deals with third party cookies by default, but it is fairly easy for servers to add this new value and have everything work as before.

One additional requirement for SameSite=None is HTTPS. They went back and forth on that a bit, but ultimately settled on only allowing third party tracking cookies if they were done over HTTPS with the secure cookie attribute. Given how wide spread HTTPS has become, I didn’t see this as a huge shift either.

Both of these SameSite changes in Chrome are not scheduled to be live by default until February 2020, so we still don’t know exactly what their full impact will be.

A few months later Firefox announced that ETP ( Enhanced Tracking Protection ) would be enabled by default. This approach was different from Chrome and Safari, in that they were using a list of things to block. They also expanded it beyond third party tracking to cryptomining.

From my point of view Chrome and Firefox were both making moves in the right direction, but none of them were as big as Safari.

Then Chrome Goes Nuclear

Because Google makes so much money from ads, and they are able to do that in part because they track you every where, many people thought that Chrome would never get super serious about reducing the power of third party tracking. That all changed this week:

If Safari ITP was waging a war on third party tracking, then Chrome announced they were hitting the nuclear option: Building a more private web: A path towards making third party cookies obsolete. The quote from their announcement that is getting all the attention is:

… we plan to phase out support for third-party cookies in Chrome. Our intention is to do this within two years.

No more third party cookies. Let that sink in for a minute.

Chrome is the most used browser in the world ( it isn’t even close ), a change like this is going to impact everyone on the web. It is so big that there are going to be ramifications I haven’t even thought of yet.

I wouldn’t be surprised if Safari comes out and says they are going to do the same thing. If they do, I would expect them to have an even more aggressive timeline. My guess: by the end of 2020.

The Clock Is Ticking

Now is the time to figure this out, it isn’t going to be any easier later on.