Request more time to prepare with the third-party cookie deprecation trial for top-level sites

If your first-party site relies on third-party embedded services and third-party cookie deprecation has caused functionality on your website to break, you may be eligible for the deprecation trial for top-level sites.

As previously announced, Chrome has begun restricting third-party cookies by default for 1% of Chrome users to facilitate ecosystem testing of the Privacy Sandbox APIs. Chrome plans to ramp up third-party cookie restrictions to 100% of users starting in early 2025, subject to addressing any remaining competition concerns of the UK's Competition and Markets Authority (CMA). To ease the transition, we announced the third-party deprecation trial to allow embedded sites and services to request additional time to migrate away from third-party cookie dependencies for non-advertising use cases.

We are now also offering a separate deprecation trial for top-level sites experiencing breakage due to third-party cookie issues of their third-party embedded sites–further referred to as first-party deprecation trial. We are offering this trial to address cases where it is impossible, impractical or unnecessary to get all affected third-party providers to sign up for the third-party deprecation trial. This deprecation trial will temporarily provide cross-site cookie access for non-advertising use cases.

The first-party deprecation trial is open for registration now and will end on December 27, 2024. Developers are expected to make necessary changes and plans for full third-party cookie deprecation by this date.

To minimize user friction while top-level sites apply to the first-party deprecation trial and deploy trial tokens, Chrome will temporarily re-enable third-party cookies for sites with reported user-facing breakage, once confirmed by Chrome based on the criteria that follow, even if they have not yet completed deprecation trial enrollment. We will need the reporter to provide the site's URL and the domains of the third party cookies needing to be unblocked. Sites must enroll in the first-party deprecation trial and deploy deprecation trial tokens before 30 June, 2024, when this grace period will expire.

Important dates Details
January 4th, 2024 Third-party cookies restricted for 1% of Chrome users.
January 16th, 2024 First-party deprecation trial applications open to request additional time until December 27, 2024. Sites with reported user-facing breakage are eligible for a grace period. This provides temporary access to third-party cookies on their site until June 30, 2024.
June 30, 2024 Grace period expires. Sites must be enrolled in a Deprecation Trial and have trial tokens deployed to continue to access third-party cookies.
December 27th, 2024 Deprecation trial ends.

Eligibility criteria and review process

Similar to the third-party deprecation trial, this deprecation trial introduces a review and approval process for participation. This process helps ensure a balance between improving privacy for users on the web while minimizing breakage while sites remove their dependencies on third-party cookies.

The principles guiding this deprecation trial are:

  • Preserving user-critical functionality: This deprecation trial is intended for top level sites that demonstrate functional breakage in user journeys.
  • Limiting user tracking: The deprecation trial is not intended to support cross-site tracking for advertising purposes, and as such any identified third-party cookies used for advertising are not eligible.

The ineligibility of advertising use cases will also help to ensure the deprecation trial does not interfere with the industry testing planned for the start of 2024 as described by the Competition and Markets Authority. This includes advertising-related domains that are also used for non-advertising purposes.

Chrome will institute checks to determine scripts and domains related to advertising. This includes initially working with Disconnect.me, an industry leader in internet privacy. Disconnect is already used by other browsers for similar purposes on the web.

We will apply the following process for registration requests:

  • If any of the provided third-party registrable domains match a known advertising domain, including if the origin matches an entry on the Disconnect advertising list, then the registration request will be rejected.
  • Steps to reproduce a broken user-facing experience must be provided. In particular, if none of the specific third party cookies from the listed third-party sites are contributing to the cause of the breakage then the registration request will be rejected.
  • Otherwise, the registration request will be approved.

We plan to offer an appeals process if the registering origin believes more information could clarify a review decision. The registrant can request an appeal by reapplying on the OT console. The intent of appeals is for requests that were rejected due to missing the requested information (such as known breakage bug or breakage reproduction steps) or if the registering origin believes more information could satisfy these requirements to clarify a review decision.

Apply for the first-party deprecation trial

Before applying

  1. Validate which third-party cookies are needed to enable site functionality on your site by using Chrome DevTools.
  2. Report any identified breakage at https://goo.gle/report-3pc-broken, noting both your website and the domain whose third-party cookies were blocked, causing breakage.
  3. Include reproduction steps that our team can use to verify the functional breakage. Alternatively, if it's easier or your functionality is gated by login or similar, you can use Chrome DevTools Recorder and provide a link to a recording of the steps that reproduce the problem.

How to apply

  1. Visit Trial for Third Party Cookie Deprecation for Top Level Sites or navigate to it from the list of active trials on the Chrome Origin Trials page.
  2. Click Register.
  3. Provide the origin of your website that needs third-party cookies enabled in the Web Origin field.
  4. If you have impacted user journeys across multiple subdomains, then check the match all subdomains option.
    • With this option selected, the token provided will match the domain registered, and domains below it. For example: register https://example.com to match example.com, www.example.com, foo.example.com, and bar.foo.example.com. If you register https://www.example.com, your token will match www.example.com and foo.www.example.com, but not foo.example.com.
    • Tokens will match multiple subdomains similarly to wildcard matching, for example *.<domain>. Request a token for example.com and it can be provided on a.example.com, b.example.com, and other subdomains.
    • If you have user journeys broken across separate origins that are not under the same domain, you will need to make separate registrations for each origin.
  5. Acknowledge all conditions included in "Disclosure and Acknowledgement" by checking all boxes.
  6. Submit the request. To process your application, we will require additional information.

Submit additional information

Once you've submitted your request, you will receive an email notification with an auto-generated ticket asking for the following:

  • The list of third-party registrable domains (that is, domain not including sub-domains, also called eTLD+1) where third-party cookies need to be permitted under the provided first-party origin.
  • The number of subdomains tied to your requested origin.
  • The bug ID or link for the associated third-party breakage repository bugs that you previously reported to goo.gle/report-3pc-broken.
  • Any additional information or context about the breakage and your use case that you would like us to consider. (In cases of an appeal for a denied trial request, explain why and how your origin meets the outlined criteria for this trial.)

Once submitted, we will review your request and notify you when review is complete or if additional information is needed, and whether your request is approved or denied. You will also receive the status and rationale for the result. If approved, you can proceed to provide the trial token as needed. If denied, you can follow the guidance in the request ticket.

Set flags for testing

At this time, we recommend you set the following flags, available from Chrome 123, to allow effective testing. This combination of flag settings will help replicate the Mode B user experience.

  • chrome://flags#top-level-third-party-cookie-deprecation-trialenabled
    This is the default. Allow participation in the trial.

  • chrome://flags/#tracking-protection-3pcdenabled
    Turn on Tracking Protection: show the eye icon UI in the address bar to allow the user to temporarily enable third-party cookies for a site, and provide chrome://settings/trackingProtection instead of chrome://settings/cookies.

  • chrome://flags/#tpcd-metadata-grantsdisabled
    Make Chrome behave as if the grace period is not in effect. This can be used to check that your site has deployed deprecation trial tokens correctly, before the grace period ends (for a site that is subject to the grace period).

  • chrome://flags/#tpcd-heuristics-grantsdisabled
    Don't allow heuristics-based mitigations. This can be useful for testing that other longer-term fixes (without third-party cookies) are working as expected without heuristics mitigations, and that deprecation trial participation is working as expected.

If you need to manually test that the grace period is working as expected before testing token deployment, you will need to enable chrome://flags/#tpcd-metadata-grants instead of disabling.

Add the deprecation trial token

Refer to Get started with origin trials, Third-party origin trials, and Troubleshoot Chrome origin trials for more details.

You should use the trial token for any page which requires cookies from the specific third-party sites listed in your request. There are two ways to use this token.

Provide the token in an HTTP header

You can include the Origin-Trial HTTP header in the response for every web page where you need the third-party cookies you requested:

  Origin-Trial: TOKEN_GOES_HERE

Provide the token in a <meta> tag

Alternatively, you can provide this token in a <meta> tag in the <head> of each page where you need third-party cookies:

  <meta http-equiv="origin-trial" content="TOKEN_GOES_HERE">

Validate that the deprecation trial is active on your site

At the beginning of this trial until June 30, 2024, during the grace period, approved site cookies will be enabled by an internal mechanism. During this time, you can check either the site data dialog or DevTools to ensure that the cookies you requested are enabled.

Using the site data dialog:

  1. Navigate to your site.
  2. Click the tune icon on the left side of the omnibar.
  3. Click Cookies and site data or Tracking Protection.
  4. Click Manage on-device site data and review the list.

Using DevTools:

  1. Navigate to your site.
  2. Open DevTools.
  3. Select the Issues tab.
  4. Look for an issue titled "Third-party websites have been allowed to access cookies on this page".
  5. Review the "Affected Resources" list.

You will need to deploy your deprecation trial token before the grace period expires on June 30, 2024.

Starting in Chrome 123 and after your token is deployed, you can verify Chrome has recognized your token in the DevTools Application tab, as described in the origin trials documentation.

  1. Navigate to your site.
  2. Open Chrome DevTools.
  3. Open the Application panel.
  4. Select the Frames tab and open the top frame.
  5. Go to the Origin Trials section.

There, you should see an entry for TopLevelTpcd. If your token is active, you will see a green "Enabled" status next to this TopLevelTpcd entry. Otherwise, you will see a red error status, and you can expand the entry to see the problem.

Only one valid token is needed to activate the deprecation trial. If you have registered for the first-party trial and an embedded site has enrolled in the third-party deprecation trial, it is not an issue if both tokens are present within the page.

What cookies are enabled?

This deprecation trial will initially only enable third-party cookies that originate from the requested third-party sites for the requesting first-party top-level site. Any other third-party cookies on the top-level site won't be enabled with this trial during the grace period. After the grace period ends on June 30, 2024, Chrome will unblock third-party cookies on your site that come from domains not associated with advertising purposes.

After activation, iframe and subresource requests from the requested third-party site will include third-party cookies. Any iframe from that third-party origin will have access to its cookies using JavaScript as well. Cookie Domain attributes are not considered here. Only the request URL origin is considered. Once a request is determined to have third-party cookies, all such cookies will be attached as usual even if the domain of a cookie is more permissive.

Subdomains

If you request the "match all subdomains" option in the deprecation trial application, you can use your token on any subdomain of your origin, as well as on the domain itself. For example, a token for firstparty.example could be used on firstparty.example, one.firstparty.example, two.firstparty.example, or chat.two.firstparty.example.

However, you need to explicitly specify each subdomain you want to grant access to third-party cookies during the grace period.

Example

Let's say that your website, firstparty.example, embeds resources hosted by one.embedded.example. You register for the deprecation trial in order to grant this resource access to its third-party cookies. Then, when one.embedded.example is embedded on your site:

  • Iframe one.embedded.example/iframe.html will have access to its cookies.
  • A request for one.embedded.example/image.jpg will include its cookies.
  • Requests for two.embedded.example/image.jpg two.embedded.example/iframe.html will not include their cookies because they are not from the same origin, and the deprecation trial did not register the third-party origin two.embedded.example.

Frequently asked questions

What if I have questions about the Disconnect.me list?

Contact Disconnect at support@disconnect.me as we don't manage the Disconnect list. For more information, see their tracker protection page.

Can I register for the deprecation trial if my domain is used for both advertising and non-advertising purposes?

The top level domain requesting to be in this deprecation trial won't be subject to the non-advertising check. We will however check that all the requested third-party embeds and services are not used for advertising, for the reasons explained in this blog. This includes advertising-related domains that are also used for non-advertising purposes. For more information, see the Eligibility criteria and review process section.

Will sites be able to see which one of their embedded partners have enrolled in the deprecation trial? Will they be able to limit the registration across their partners?

Yes, sites can see which embeds and services are relying on a deprecation trial token, from the Application panel in Chrome Devtools. See Troubleshoot Chrome origin trials for more information.

Top level sites won't be able to limit registration across their partners or the embeds and services on their page. Contact the partner if necessary.

If my embedded partner is enrolled for the third party trial, will that affect my participation in this first party trial?

No, if both the first party and the third party site are using their respective tokens to enable the site functionality, there should be no issue.

How long will it take to review my deprecation trial application? Where can I check on the status of my application?

Response times may vary; you are encouraged to begin the registration process as soon as possible to minimize user-facing breakage. If you have not received any response within 2 weeks of submitting your registration, contact 3PCD-1P-deprecationtrial@google.com.

You can continue to monitor the bug thread for open conversation, decision status and rationale.