Page MenuHomePhabricator

Chrome's "Block third-party cookies" option breaks CentralAuth edge login / autologin
Open, Needs TriagePublic

Description

Steps to reproduce:

  • open Chrome in incognito mode
  • enable "Block third-party cookies" option
  • log in on en.wikipedia.org
  • visit other projects

(Alternatively, enable "Block third party cookies" in the browser settings.)

Results:

  • local login works
  • second-level domain login (e.g. de.wikipedia.org) works
  • edge login (e.g. en.wiktionary.org, being logged in immediately after arrival) does not work
  • autologin (being logged in a few seconds after arrival) does not work
  • autologin when visiting Special:Userlogin does not work

While this is currently an opt-in feature, a 2020 January Chrome blog post says "Once [privacy-preserving and open-standard mechanisms like the Privacy Sandbox] have addressed the needs of users, publishers, and advertisers, and we have developed the tools to mitigate workarounds, we plan to phase out support for third-party cookies in Chrome. Our intention is to do this within two years." so this is probably the sign of things to come for the default browsing experience as well.

chrome block third parties.png (740×1 px, 62 KB)
chrome-block-3rd-party-cookies.png (380×1 px, 58 KB)

Event Timeline

Tgr renamed this task from Chrome's "Block third-party cookies" option breaks CentralAuth edge login to Chrome's "Block third-party cookies" option breaks CentralAuth edge login / autologin.Jul 13 2020, 10:48 AM

Garr, sorry, meant T257853 (also authored by you). Thanks! :)

Data from https://samesite-sandbox.glitch.me/ (with Chrome 83):

"Block third-party cookies" disabled"Block third-party cookies" enabled
samesite-sandbox-no-block-3rdparty.png (921×1 px, 145 KB)
samesite-sandbox-block-3rdparty.png (872×1 px, 145 KB)

So (as expected) this restriction is different from the SameSite enforcement Chrome is rolling out, and cross-wiki cookies get blocked regardless of their SameSite settings.