0

While trying to assess the impact of the upcoming phaseout of third-party cookies in Google Chrome, I built a simple page containing the "Sign in with Google" button. When disabling third-party cookies in Chrome (using the chrome://flags/#test-third-party-cookie-phaseout flag), I was surprised by the behavior I observed:

Because Chrome no longer sends cookies with any third-party requests, I expected the sign-in widget to not be able to determine my Google identity. Say, if I previously had signed in to Google, that information would be persisted in a cookie belonging to google.com or accounts.google.com. The widget embedded into my site would no longer have access to this cookie, or at least that was my expectation.

To my surprise however, the widget on my site still showed my name, e-mail address and profile picture when I first visited the site. How is this possible? As it is embedded into my site, the Google sign-in button is clearly third-party content and thus, requests sent by this widget should not have access to cookies. However, looking at the requests in the developer tools it is obvious, that the requests sent by the widget to Google do in fact contain cookies. What am I missing?

Improve this question
4
  • 1
    There are temporary exceptions to third-party cookie blocking. The Privacy Sandbox Analysis Tool may help you understand why cookies are allowed in your case.
    – Heiko Theißen
    Commented Jul 11 at 13:26
  • Thanks, Heiko! The analysis tool is a fantastic resource, I did not know about it before. The PSAT tells me, that the Google sign-in cookie is permitted as per the "third-party cookie phaseout heuristics". This does not make a lot of sense to me, as the heuristic exemption rules require the third-party page to either open a popup or trigger a redirect. Heuristics Based Exceptions The Google sign-in widget does neither.
    – Mathis
    Commented Jul 12 at 17:48
  • Is the cookie blocked if you disable chrome://flags/#tpcd-heuristics-grants?
    – Heiko Theißen
    Commented Jul 15 at 7:05
  • Yes, with the flag disabled it is blocked. So it is indeed the heuristics. In that case I don't understand why they apply. Are they somehow triggering the heuristics without opening a popup?
    – Mathis
    Commented Jul 16 at 21:33

1 Answer 1

Reset to default
1

Thanks to Heiko Theißen for helping me figuring it out!

Google is indeed making use of the automatic heuristics-based exceptions granted by Chrome. These require the user to interact once with Google through an iframe opened by the sign-in widget.

My mistake was believing that deleting Google's cookies would revoke their third-party cookie access on my site. However, the cross-site access grant persists for 30 days after the user first interacted with the site, even if all cookies are deleted (which I guess makes sense if you think about it). To revoke the grant before the 30 days are up, the only thing I've found to work short of deleting the entire browser profile is to delete the browsing data and in the "Advanced" tab tick the "Site settings" checkbox.

Deleting site settings in Google Chrome

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.