Request additional migration time with the third-party cookie deprecation trial

To facilitate testing, Chrome has restricted third-party cookies by default for 1% of Chrome users. Chrome plans to ramp up third-party cookie restrictions to 100% of users from Q3 2024, subject to addressing any remaining competition concerns of the UK's Competition and Markets Authority (CMA). For an easier transition through the deprecation process, we are offering a third-party deprecation trial which allows embedded sites and services to request additional time to migrate away from third-party cookie dependencies for non-advertising use cases.

Registration for this deprecation trial began in the week of December 4, 2023. The deprecation trial itself will begin in January 2024 and end on December 27, 2024. Developers are expected to make necessary changes and plans by the trial end date.

We acknowledge that there is a short period of time between when deprecation trial registrations open and when the Chrome Facilitated Testing period begins blocking 1% of cookies. To address these time constraints, Chrome is providing a grace period for participating origins while they work to deploy deprecation trial tokens. During the grace period, which will run through 30 June, 2024, origins registered for the deprecation trial will have access to third-party cookies in Chrome even if they have not yet deployed their tokens. The purpose of this grace period is to prevent web compatibility problems during the transition phase. Participating origins must deploy deprecation trial tokens before the end of the grace period.

Deprecation trials

Deprecation trials are a standard option that Chrome provides to allow sites to register for additional time to migrate away from the legacy functionality being removed. A deprecation trial is a type of origin trial that allows a feature to be temporarily re-enabled.

This trial is for the embeds and services that set third-party cookies and that meet our eligibility criteria outlined in the following section. In other words, if your embed or service is the third party, then you can register for the deprecation trial to temporarily re-enable your third-party cookies in all contexts where your embed or service is included. The trial only applies to the registered embedded origin and not the entire top level site domain that users visit.

A third-party/cross-site iframe example showing an embedded page from
https://embed.example/iframe.html on https://top.example and a
third-party/cross-site script example showing a script from
https://third-party.example/script.js included on https://top.example

Top-level sites that use third parties that rely on cookies do not need to sign up for this deprecation trial. You should audit the third-party cookies used within your site and contact your third-party providers to ensure they are prepared for the deprecation.

Eligibility criteria and review process

This deprecation trial differs from previous trials with the introduction of a review and approval process for participation. This is to strike a balance between improving privacy for people on the web, while still enabling the services they depend on to request extra time to migrate if necessary.

The principles guiding this deprecation trial are:

  • Preserving user-critical functionality: This deprecation trial is intended for third-party providers that demonstrate functional breakage in user journeys.
  • Limiting user tracking: The deprecation trial is not intended to support cross-site tracking for advertising purposes, and as such third-party embeds and services used for advertising are not eligible.

The ineligibility of advertising use cases will also help to ensure the deprecation trial does not interfere with the industry testing planned for the start of 2024 as described by the Competition and Markets Authority. This includes advertising-related domains that are also used for non-advertising purposes.

Chrome will initially work with Disconnect.me, an industry leader in internet privacy, and implement Disconnect's tracker protection lists to identify the scripts and domains categorized as advertising. Disconnect is already used by other browsers for similar purposes on the web.

We will apply the following process for registration requests:

  • If the third-party origin matches a known advertising domain, including if the origin matches an entry on the Disconnect advertising list, then the registration request will be rejected. In general, entries on the list will match all subdomains below the specified origin. Some entries, however, include a path element. These more specific entries will match the given origin, but not subdomains.
  • Steps to reproduce a broken user-facing experience must be provided. In particular, this should be an experience for the user operating the device where the cookie is stored, and not a user performing later analysis of data. If we cannot validate a broken user experience then the registration request will be rejected.
  • Otherwise the registration request will be approved.
  • If you state an origin is "similar" to a previously approved application, provide a description of the relationship between the origins.

We plan to offer an appeals process if the registering origin believes more information could clarify a review decision. The registrant can request an appeal by reapplying on the origin trial console. The intent of appeals is for requests that were rejected due to missing the requested information (known breakage bug and/or breakage repro steps) and/or if the registering origin believes more information could satisfy these requirements to clarify a review decision.

We are also approving anti-abuse and anti-fraud use cases where we can find corroborating evidence. We welcome feedback on how better to assess these use cases.

Apply for the deprecation trial

Include reproduction steps that our team can use to verify the functional breakage. Alternatively if it's easier and/or your functionality is gated by login or similar, you can provide a link to a recording of the steps to reproduce the problem, using Chrome DevTools Recorder.

  1. Navigate to Trial for Third Party Cookie Deprecation and click "Register".
  2. For "Web Origin", provide the origin which serves your embedded page or scripts.
  3. The "Third-party matching" option will depend on how you need to provide the token. The options are explained in more detail in Add the trial token.
    • If you are providing the token in an HTTP header or meta tag on your own embedded pages, do not check "Third-party matching".
    • If you are injecting the token with JavaScript into a different site, you must check "Third-party matching".
    • If you need to do both, you will need to make separate registrations.
  4. If you host cross-site content across multiple subdomains, then check the option "I need a token to match all subdomains of the origin.".
    • With this option selected, the token provided will match the domain registered, and domains below it. For example: register https://example.com to match example.com, www.example.com, foo.example.com, and bar.foo.example.com. If you register https://www.example.com, your token will match www.example.com and foo.www.example.com, but not foo.example.com.
    • Tokens will match multiple subdomains similarly to wildcard matching, e.g. *.<domain>. Request a token for example.com and it can be provided on a.example.com, b.example.com. Third-party cookie access will still only be re-enabled for the specific origins that provide the token, not all the subdomains. See What cookies are enabled when subdomain matching is enabled?.
    • If you host cross-site content across separate origins that are not under the same domain, you will need to make separate registrations for each origin.
  5. Acknowledge all conditions included in 'Disclosure and Acknowledgement' by checking all boxes.
  6. Submit the request.
  7. We require additional information to process your request. You will receive an email notification with an auto-generated ticket asking for the following:
    • The number of subdomains tied to your requested origin
    • The bug ID or link for the associated third-party breakage repo bugs that you previously reported to goo.gle/report-3pc-broken.
    • Any additional information/context about the breakage/use case that you would like us to consider. (In cases of an appeal for a denied trial request, explain why/how your origin meets the outlined criteria for this trial).

Once submitted, we will review your request and notify you when review is complete or if additional information is needed, and whether your request is either approved or denied. You will also receive the status and rationale for the result. If approved, you can proceed to provide the trial token as needed. If denied, you can follow the guidance in the request ticket.

Set flags for testing

At this time, we recommend you set the following flags, available from Chrome 123, to allow effective testing. This combination of flag settings will help replicate the Mode B user experience.

  • chrome://flags/#third-party-cookie-deprecation-trialenabled
    This is the default. Allow participation in the trial.

  • chrome://flags/#tracking-protection-3pcdenabled
    Turn on Tracking Protection: show the eye icon UI in the address bar to allow the user to temporarily enable third-party cookies for a site, and provide chrome://settings/trackingProtection instead of chrome://settings/cookies.

  • chrome://flags/#tpcd-metadata-grantsdisabled
    Make Chrome behave as if the grace period is not in effect. This can be used to check that your site has deployed deprecation trial tokens correctly, before the grace period ends (for a site that is subject to the grace period).

  • chrome://flags/#tpcd-heuristics-grantsdisabled
    Don't allow heuristics-based mitigations. This can be useful for testing that other longer-term fixes (without third-party cookies) are working as expected without heuristics mitigations, and that deprecation trial participation is working as expected.

If you need to manually test that the grace period is working as expected, before testing deployment, you will need to enable chrome://flags/#tpcd-metadata-grants instead of disabling.

Add the trial token

Refer to Get started with origin trials, Third-party origin trials, and Troubleshoot Chrome origin trials for more details.

You should include the trial token in all page responses where you want to set or send cookies in a cross-site context.

Provide the token in an HTTP header

If you need to re-enable third-party cookies for a page embedded within a cross-site iframe, you can include the Origin-Trial HTTP header in the page response:

Origin-Trial: TOKEN_GOES_HERE

This corresponds to not enabling "Third-party matching" in your deprecation trial registration as you are providing the token in your own responses.

That page response can set a cookie. Subsequent requests to that same origin, such as sub-resources in that page or navigations from that page will include the site's cross-site cookies and may also set cookies.

Diagram reiterating the token being provided on the page response.

If you need cross-site cookies to be on the very first request to your origin in the session, then you can also use Critical-Origin-Trial header passing the trial name:

Critical-Origin-Trial: Tpcd

This will cause the browser to retry the request with third-party cookies enabled.

The deprecation trial is provided as a persistent trial, which means that once the token has been received by the browser, the trial behavior will be applied until an iframe is loaded without a trial token present. It is recommended to send the trial token on each iframe load consistently.

Provide the token in a meta tag

Within a page, you can use a meta tag in the document <head>:

<meta http-equiv="origin-trial" content="TOKEN_GOES_HERE">

The meta tag will enable cross-site cookies for subsequent requests or JavaScript in the page, but you will need to use the HTTP header if you require existing cookies to be sent on the initial request.

Inject the token with JavaScript

If you need to enable third-party cookies for your origin before or without serving your own page request, for example, if cookies are required on a cross-site image request, or you intend to create an iframe with JavaScript, then you can inject the token into the top-level site using JavaScript:

const otMeta = document.createElement('meta');
otMeta.httpEquiv = 'origin-trial';
otMeta.content = 'TOKEN_GOES_HERE';
document.head.append(otMeta);

To allow this, you must enable "Third-party matching" in your deprecation trial registration as you are injecting the token for your origin (the third-party) into a different site.

A token with third-party matching enabled may be injected on any origin, including your own, and it will work.

Diagram reiterating that the third-party script injects the token in the
    parent page.

A persistent trial will still be disabled if an iframe is loaded without the trial token. You must consistently provide the trial token on all iframes loaded even if the trial was enabled with a third-party script load originally.

Validate your token

Open DevTools and navigate to the Application tab. Expand the Frames tree in the left-hand navigation. Selecting any frame will show an Origin Trials section if any tokens have been provided. If you are injecting the token into the top-level site, you will see this on the "top" entry. Otherwise you should select the frame that corresponds to your embedded page.

In the Origin Trials section, if you have provided a token you should see an entry for "Tpcd". If this has successfully enabled the feature, you will see a green "Enabled" status. Otherwise you will see a red error status and you can expand the entry to see the problem.

Only one valid token is needed to activate the deprecation trial. If you have registered for both first-party and third-party matching, it is not an issue if you provide both tokens within the page. For example, if you have a single page that may be embedded in different ways, then you do not need to dynamically choose a token, you can simply provide both and the trial will be enabled in either context.

What cookies are enabled?

The deprecation trial only enables third-party cookies for the origin registered for the trial. After activation third-party cookies will be present on iframe and subresource requests to that origin. Third-party cookies will also be available with document.cookie in iframes with that origin as well.

Cookie Domain attributes are not considered here. Only the request URL origin is considered. Once a request is determined to have third-party cookies all such cookies will be attached as normal even if the domain of a cookie is more permissive.

For example, if https://one.test.example is registered and its token is provided in an https://one.test.example iframe:

  • https://one.test.example/image.jpg will receive cookies set from https://one.test.example
  • https://one.test.example/image.jpg will receive cookies set from other origins with Domain=.test.example
  • https://test.example/image.jpg or https://two.test.example/image.jpg requests will not receive third-party cookies because they are not same-origin.

What cookies are enabled when subdomain matching is enabled?

The "match all subdomains" option allows a single token to be used on the registration origin or any origin with a more specific subdomain. A token for https://test.example with subdomain matching can be used to activate the trial with https://test.example, https://one.test.example, or https//two.test.example iframes and third-party script loads.

In addition, when subdomain matching is enabled, third-party cookies will also be available on requests and in iframes associated with corresponding subdomains. For example, if https://test.example uses subdomain matching, subresource requests like https://cdn.one.test.example/image.jpg will receive third-party cookies.

Trial deactivation does not take subdomain matching into account. To deactivate the trial an iframe exactly matching the origin in the registration must be loaded without a token. So a registration for https://test.example with subdomain matching can only be disabled by an https://test.example iframe without a token. This may change in the future, so we recommend providing a token on all subframe iframes when you want to enable the trial and removing tokens from all iframes when you want to deactivate the trial.

Trial token troubleshooting

Troubleshoot Chrome origin trials provides a comprehensive checklist to help you debug trial token registration and deployment.

There are a few frequently-encountered problems that you may encounter with this trial:

  • With the "I need a token to match all subdomains of the origin." option selected, the token provided will match the domain registered, and domains below it. For example: register https://example.com to match example.com, www.example.com, foo.example.com, and bar.foo.example.com. If you register https://www.example.com, your token will match www.example.com and foo.www.example.com, but not foo.example.com.
  • Third-party sites or services embedded on your website need to register for the trial themselves. You should not apply for a domain that you do not control/own.
  • If you make a mistake in your origin trial registration, you must make a new registration to correct errors and get a new token.

Frequently Asked Questions

  1. What if I have questions about the Disconnect.me list?
  2. Can I register for the deprecation trial if my domain is used for both advertising and non-advertising purposes?
    • Third-party embeds and services used for advertising are not eligible for the deprecation trial, for the reasons explained in this blog previously. This includes advertising-related domains that are also used for non-advertising purposes. For more information, see the Eligibility criteria and review process section.
  3. Will sites be able to see which of their partners have enrolled in the deprecation trial? Will they be able to limit the registration across their partners?
    • Yes, sites can see which embeds and services are relying on a deprecation trial token, by viewing token information in the Chrome DevTools Application panel. See Troubleshoot Chrome origin trials for more information.
    • Top level sites won't be able to limit registration across their partners or the embeds and services on their page. Contact the partner if that is desired.
  4. How is this trial different from other trials such as the User-Agent reduction origin trial?
    • The main way this deprecation trial is different is the new registration process that involves meeting the participation criteria and the new UI/pages in the origin trial console.
    • The second way this is different is that it is exclusively for third-party embedded sites to resolve the maximum amount of web compatibility issues across a number of sites/service clients.
  5. Will there be a first-party deprecation trial for third-party cookie deprecation that top level sites can enroll in to enable 3PCs for their entire site?
  6. How long will it take to review my deprecation trial application? Where can I check on the status of my application?
    • Response times may vary; you are encouraged to begin the registration process as soon as possible to ensure you will be ready ahead of 1% third-party cookie deprecation in early Q1. If you have not received any response within 1-2 weeks of submitting your registration, please contact 3pcd-deprecationtrial@google.com.
    • Bug thread for open conversation, decision status and rationale.
  7. Our deprecation trial registration has been approved, and we've deployed a trial token as recommended. However, the deprecation trial isn't working as expected. What should we do?