Audit your use of cookies

Understand your third-party cookies

Cookies sent in cross-site contexts, such as iframes or subresource requests, are generally referred to as third-party cookies.

Use cases for third-party cookies include:

  • Embedded content shared from other sites, such as videos, maps, code samples, and social posts.
  • Widgets for external services such as payments, calendars, booking, and reservation.
  • Widgets such as social buttons or anti-fraud services.
  • Remote <img> or <script> resources that rely on cookies to be sent with a request (commonly used for tracking pixels and personalizing content).
Diagram showing a third-party cookie.
Example of a third-party cookie.

In 2019, browsers changed cookie behavior, restricting cookies to first-party access by default. Any cookies used in cross-site contexts today must be set with SameSite=None attribute.

Set-Cookie: cookie-name=value; SameSite=None; Secure

Audit your third-party cookie usage

Cookies marked for third-party usage can be identified by their SameSite=None value. You should search your code to look for instances where you set the SameSite attribute to this value. If you previously made changes to add SameSite=None to your cookies around 2020, then those changes may provide a good starting point.

If you find cookies marked as SameSite=None that don't seem to be used in a cross-site context, check if that's deliberate, as they may be used in a cross-site context elsewhere. Otherwise, SameSite=None may have been set inadvertently and you should remove any unnecessary SameSite=None usage.

Partitioned cookies—those set with the Partitioned attribute—will continue to be delivered after third-party cookies are deprecated on browsers that support this attribute.

Chrome DevTools

The Chrome DevTools Network panel shows cookies set and sent on requests. In the Application panel you can see the Cookies heading under Storage. You can browse the cookies stored for each site accessed as part of the page load. You can sort by the SameSite column to group all the None cookies.

DevTools Issues tab showing a warning for SameSite=None cookies.
DevTools Issues tab

From Chrome 118, the DevTools Issues tab shows the breaking change issue, "Cookie sent in cross-site context will be blocked in future Chrome versions." The issue lists potentially affected cookies for the current page.

Privacy Sandbox Analysis Tool (PSAT)

We have also built the Privacy Sandbox Analysis Tool (PSAT), a DevTools extension to facilitate analysis of cookie usage during browsing sessions. This provides debugging pathways for cookies and Privacy Sandbox features, with access points to learn more about the Privacy Sandbox initiative.

Privacy Sandbox Analysis Tool (PSAT) screenshot showing the number and types of cookies used in a modal and the list of cookies behind that with the reason they are blocked.
Privacy Sandbox Analysis Tool (PSAT)

The extension complements DevTools with specialized capabilities for analyzing and debugging scenarios related to the deprecation of third-party cookies and adoption of new privacy-preserving alternatives.

You can download the extension from the Chrome Web Store or access the PSAT repository and wiki.

Check in with your third-party service providers

If you identify cookies set by third parties, you should check with those providers to see if they have plans for the third-party cookie phaseout. For example, you may need to upgrade a version of a library you are using, change a configuration option in the service, or take no action if the third party is handling the necessary changes themselves.

Improve your first-party cookies

If your cookie is never used on a third-party site, for example if you set a cookie to manage the session on your site and it's never used in a cross-site iframe, then you should explicitly mark the cookie as SameSite=Lax or SameSite=Strict. There are a number of other sensible defaults to use for first-party cookies. For more details, check out Recipes for first-party cookies.