Design Review #779

#779: Cookies Having Independent Partitioned State (CHIPS) specification review

Opened Oct 19, 2022

Wotcher TAG!

I'm requesting a TAG review of CHIPS.

Given that browsers plan on deprecating or already have deprecated unpartitioned third-party cookies, we want to give developers the ability to use cookies in cross-site contexts that are partitioned by top-level site to meet cookie use cases that are not cross-site tracking related (e.g. SaaS embeds, headless CMS, sandbox domains, etc.). In order to do so, we introduce a mechanism to opt-in to having their third-party cookies partitioned by top-level site using a new cookie attribute, Partitioned.

Explainer¹ (minimally containing user needs and example code): https://github.com/privacycg/CHIPS
Specification URL: https://github.com/DCtheTall/CHIPS-spec
Tests: https://github.com/web-platform-tests/wpt/tree/master/cookies/partitioned-cookies
User research: N/A
Security and Privacy self-review²: https://github.com/privacycg/CHIPS/blob/main/TAG-S%26P-questionnaire.md
GitHub repo (if you prefer feedback filed there): https://github.com/privacycg/CHIPS/issues/
Primary contacts (and their relationship to the specification):
- Dylan Cutler (DCtheTall), Google Chrome
- Kaustubha Govind (krgovind) Google Chrome
Organization(s)/project(s) driving the specification: Google / Privacy Sandbox
Key pieces of existing multi-stakeholder review or discussion of this specification:
- https://github.com/privacycg/CHIPS/issues/
- https://github.com/w3ctag/design-reviews/issues/654
External status/issue trackers for this specification (publicly visible, e.g. Chrome Status): https://chromestatus.com/feature/5179189105786880

Further details:

I have reviewed the TAG's Web Platform Design Principles
Relevant time constraints or deadlines: N/A
The group where the work on this specification is currently being done: Google / Privacy Sandbox
The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue): PrivacyCG
Major unresolved issues with or opposition to this specification: N/A
This work is being funded by: Google

You should also know that...

Early review of CHIPS concluded that CHIPS was privacy positive.

We'd prefer the TAG provide feedback as (please delete all but the desired option):

🐛 open issues in our GitHub repo for each point of feedback

Discussions

2022-10-24

Minutes

Sangwhan: late review, more concrete proposal without FPS

Amy: will look at this later this week, [bumps milestone]

2022-10-31

Minutes

Dan: leaves comment asking for further info.

Amy: Finds Mozilla Standards Position and Webkit position.

Dan: Let's re-review at the plenary.

2022-11-14

Minutes

Dan: they gave us a list of substantive changes.

Reviewing https://github.com/privacycg/CHIPS/issues/30

Dan: Seems resolved.

Reviewing https://github.com/privacycg/CHIPS/issues/48

Amy: Major credit for all the stakeholder involvement here. Seems really good..

Dan: after reviewing these and the removal of the dependency on first party sets my instinct is to close this...

Amy: Ask Privacy sandbox people to fill out the societal impacts questionnaire?

Dan: As beta testers?

Amy: Yes.

Dan: good idea.

Amy: They have yet to update their answers to the security & privacy questionnaire. I'll leave a comment asking for this and indicating we'll close [positively] after that.

Dan: +1

2022-11-28

Minutes

Amy: they've updated the privacy & Security questionnaire but it's still not up to date with the spec (they missed a bit about PII). I'm reviewing the moz standards position as well. Maybe we should close with satisfied?

Dan: Leave the comment and we can discuss it at the plenary and hopefully close based on their feedback. sets to proposed closed