Cookies Having Independent Partitioned State (CHIPS) origin trial

# What is CHIPS?

Cookies Having Independent Partitioned State (CHIPS) is a Privacy Sandbox proposal that allows developers to opt a cookie into "partitioned" storage, with separate cookie jars per top-level site.

A partitioned third-party cookie is tied to the top-level site where it's initially set and cannot be accessed from elsewhere. The aim is to allow cookies to be set by a third-party service, but only read within the context of the top-level site where they were initially set.

# Who is the origin trial for?

This trial is available as a third-party origin trial, which enables providers of embedded content to try out a new feature across multiple sites.

If a site enrolls in the trial as a first-party, the cookie partitioning functionality will be available to any third-party content providers on that site as well. These third-party providers should also expect to receive extra HTTP headers, indicating their enrollment in the origin trial.

#

# How long will the trial run?

The trial will be available from Chrome 100 to Chrome 103. Check the Chrome release schedule for the planned release dates.

# How to enroll in the origin trial

# Prerequisites

Chrome stable 100.

# Steps

1. To register for the origin trial and get a token for your domains, visit the CHIPS origin trial page.

2. Include the Origin-Trial header with a valid token in each page response:

   Origin-Trial: <ORIGIN TRIAL TOKEN>

3. Include the Accept-CH header with the following value in each page response:

   Accept-CH: Sec-CH-Partitioned-Cookies

4. Add Partitioned attribute to cookies in one of two ways:

   • In Set-Cookie header:

     Set-Cookie: __Host-name=value; Secure; Path=/; SameSite=None; Partitioned;

   • In Javascript:

     cookieStore.set({
     name: '__Host-name',
     value: 'value',
     secure: true,
     path: '/',
     sameSite: 'none',
     // Set a partitioned cookie using the attribute below.
     partitioned: true,
     });

# Example

Sites participating in the origin trial should include the following headers in their response:

Origin-Trial: 
Accept-CH: Sec-CH-Partitioned-Cookies
Set-Cookie: __Host-name=value; Secure; Path=/; SameSite=None; Partitioned;

# Verify that it's working

# Inspect the headers

If you have successfully opted into the origin trial, subsequent requests from the Chrome client will include the Sec-CH-Partitioned-Cookies: ?1 request header until the current session is ended.

Sec-CH-Partitioned-Cookies: ?1
Cookie: __Host-name=value

If your site receives the cookie without this client hint, opting into the origin trial was not successful and the cookie you are receiving is not partitioned.

If you store persistent partitioned cookies, you will receive the Sec-CH-Partitioned-Cookies: ?0 request header for the first request to the cookies' origin.

Origin-Trial: 
Accept-CH: Sec-CH-Partitioned-Cookies
Set-Cookie: __Host-name=value; Secure; Path=/; SameSite=None; Partitioned; Max-Age=86400;

If the user visits the site after the current session has ended, the first request to the site will include the following request headers:

Sec-CH-Partitioned-Cookies: ?0
Cookie: __Host-name=value

If you do not respond with a valid token in the Origin-Trial header and Accept-CH: Sec-CH-Partitioned-Cookies, then the partitioned cookies on the machine will be converted to unpartitioned cookies.

For more details, check out CHIPS documentation on chromium.org.

# DevTools

1. Go to chrome://flags/#partitioned-cookies and change the setting to "Enabled".
2. Restart Chromium by clicking the "Relaunch" button in the bottom-right corner, or by navigating to chrome://restart.
3. Go to chrome://settings/cookies and make sure that the radio button is set to "Allow all cookies" or "Block third-party cookies in Incognito".
4. Load the site with the embed.
5. Open Open DevTools to Application > Cookies > yourSite and look for the Partition Key column in DevTools.

# Additional details

# Cookies requirements

• Partitioned cookies must be set with the Secure and Path=/ and without the Domain attribute.
• SameParty attribute cannot be used along with Partitioned.

Chrome will enforce these rules for cookies set with the Partitioned attribute whether cookie partitioning is enabled or disabled. Cookies that are set incorrectly will be rejected.

If cookie partitioning is disabled, but the cookie is set with the correct attributes, Chrome will ignore the Partitioned attribute and the resulting cookie will still be sent in requests to its host on different top-level sites than where it was set.

Partitioned cookies should include SameSite=None attribute as well, to allow cookies to be sent in a third-party context in browsers that do not support cookie partitioning.

# Javascript and service workers

Frames that opt into the origin trial will have access to reading and writing partitioned cookies via JavaScript APIs such as document.cookie and the CookieStore API. Frames that are not in the trial's scripts will not be able to read nor write partitioned cookies.
The CHIPS origin trial is currently not supported in service workers.

# Engage and share feedback

• Raise issues and follow the discussion on GitHub.
• Ask questions and join discussions on the Privacy Sandbox Developer Support repo.
• Explore different avenues for giving feedback on Privacy Sandbox proposals.