While trying to assess the impact of the upcoming phaseout of third-party cookies in Google Chrome, I built a simple page containing the "Sign in with Google" button. When disabling third-party cookies in Chrome (using the chrome://flags/#test-third-party-cookie-phaseout
flag), I was surprised by the behavior I observed:
Because Chrome no longer sends cookies with any third-party requests, I expected the sign-in widget to not be able to determine my Google identity. Say, if I previously had signed in to Google, that information would be persisted in a cookie belonging to google.com
or accounts.google.com
. The widget embedded into my site would no longer have access to this cookie, or at least that was my expectation.
To my surprise however, the widget on my site still showed my name, e-mail address and profile picture when I first visited the site. How is this possible? As it is embedded into my site, the Google sign-in button is clearly third-party content and thus, requests sent by this widget should not have access to cookies. However, looking at the requests in the developer tools it is obvious, that the requests sent by the widget to Google do in fact contain cookies. What am I missing?
chrome://flags/#tpcd-heuristics-grants
?