As of Chrome 115, storage, service workers, and communication APIs are partitioned in third-party contexts. In addition to being isolated by the same-origin policy, the affected APIs used in third-party contexts are also separated by the site of the top-level context.
Sites that haven't had time to implement support for third-party storage partitioning can take part in a deprecation trial to temporarily unpartition (continue isolation by same-origin policy but remove isolation by top-level site) and restore prior behavior of storage, service workers, and communication APIs in content embedded on their site.
In addition to a general unpartitioning deprecation trial, it's possible to
participate in a focused deprecation trial just for window.sessionStorage
.
This trial is available due to a need for some sites to migrate their Firebase
signInWithRedirect
flow. For more information on that migration see
Best practices for using signInWithRedirect on browsers that block third-party storage access.
To give developers more time to adapt to the new implementation of storage partitioning, the deprecation trials will be available until the release of Chrome 127, scheduled for July 23, 2024. The deprecation trial will expire for users on Chrome versions 111 to 126 on September 3rd, 2024.
Available deprecation trials
As of Chrome 115, two deprecation trials are available:
DisableThirdPartyStoragePartitioning
: allows a top-level site to unpartition (temporarily remove isolation by top-level site) in storage, service workers, and communication APIs in third-party content embedded on its pages.DisableThirdPartySessionStoragePartitioningAfterGeneralPartitioning
: allows a site to unpartitionsessionStorage
across navigations.
Below is an overview of the deprecation trial and what to expect. If you have feedback to share or you experience any issues throughout this trial let us know in the Partitioned Storage Deprecation Trial Github repository.
DisableThirdPartyStoragePartitioning
The following APIs will remain unpartitioned in third-party contexts should you
enroll the top-level site in the DisableThirdPartyStoragePartitioning
deprecation trial:
Storage APIs
(such as localStorage, sessionStorage, IndexedDB, Quota, and other),
Communication APIs
(such as BroadcastChannel, SharedWorkers, and WebLocks), and
ServiceWorker API.
Example:
For a more detailed explanation, check out the project explainer.
DisableThirdPartySessionStoragePartitioningAfterGeneralPartitioning
If you enroll in the
DisableThirdPartySessionStoragePartitioningAfterGeneralPartitioning
deprecation trial, navigating a tab to an enrolled origin will cause all
cross-site iframes of that same origin to remain unpartitioned only for
Window.sessionStorage
and only for the lifetime of that particular tab.
Whereas the DisableThirdPartyStoragePartitioning
deprecation trial affects all
third-party contexts embedded within the enrolled origin, the
DisableThirdPartySessionStoragePartitioningAfterGeneralPartitioning
deprecation trial instead registers a given origin to receive unpartitioned
access when embedded in third-party contexts.
Example:
What does this mean for web developers?
Sites should audit their usage of unpartitioned storage, service worker, and communication APIs in third-party contexts, and, if needed, prepare for third-party partitioning before these deprecation trials expire. The intent is to expire these deprecation trials with the release of Chrome 127 on September 3, 2024.
To instruct the browser to unpartition storage in third-party content embedded on its pages, top-level sites need to register for one or both of the deprecation trials and add the corresponding trial token(s) to their HTTP response headers (see detailed example below).
Each deprecation trial is available on Windows, Mac, Linux, Chrome OS, and Android.
Participate in the deprecation trials
The following is a brief overview of how to participate in one or both of the deprecation trials. For more detailed instructions, visit Get started with origin trials.
- Launch Chrome version 115 (or later) and ensure the
ThirdPartyStoragePartitioning
flag is enabled. - Verify that the behavior of third-party content embedded in your top-level site is broken by storage partitioning (if not, then no need to participate in the Deprecation Trials).
- Register for the deprecation trial and get a token for your domains by
visiting the following:
- For a top-level site to unpartition storage, service workers,
and communication APIs in its third-party embedded content:
DisableThirdPartyStoragePartitioning
- For a top-level site to unpartition sessionStorage across
navigations:
DisableThirdPartySessionStoragePartitioningAfterGeneralPartitioning
- For a top-level site to unpartition storage, service workers,
and communication APIs in its third-party embedded content:
- Add an origin trial token to your page:
- For the
DisableThirdPartySessionStoragePartitioningAfterGeneralPartitioning
trial you may add anOrigin-Trial: <DEPRECATION TRIAL TOKEN>
to your top-level site's HTTP response header, where<DEPRECATION TRIAL TOKEN>
contains the token you got when registering for the deprecation trial. You can also do this via HTML ` tag. - For the
DisableThirdPartyStoragePartitioning
trial, the token must be given via an HTML<meta>
tag injected via JavaScript. The HTTP header method is not supported.
- For the
- Load your website in Chrome 115 (or later) with
ThirdPartyStoragePartitioning
still enabled and verify that any partitioning related issues have been properly mitigated. - To stop participating in the deprecation trial simply remove the token you added in step 2.
The DisableThirdPartyStoragePartitioning
deprecation trial does support the
third-party origin trials
feature, but the third-party script injecting the token must be evaluated in the
top-level frame before the third-party iframe that won't have partitioning applied
is loaded. The DisableThirdPartySessionStoragePartitioningAfterGeneralPartitioning
deprecation trial does not support third-party origin trials as the enrollee
must have been the top-level site at some point in the lifetime of the given tab. The guide to
troubleshooting Chrome's origin trials
provides a full checklist for ensuring your token is correctly configured.
Share feedback
Please submit any feedback or issues you encounter to the Partitioned Storage Deprecation Trial Github repository.