Use case validation - iframe using third party cookies as part of the requests

[carlos-rodrigo]

Hi!

At my company, we have a Chrome extension that injects an iframe when the user presses Cmd + J. The iframe is a power bar that allows users to search for things in our app.

With the third-party cookies phaseout, the iframe's requests will fail because they use some cookies with the JWT token.

I tried to implement the storage access API approach and request the grants to be allowed to use third-party cookies. Still, even when I got PermissionStatus {name: 'storage-access,' state: 'granted,' on change: null}, the requests are not able to use the third party cookies.

I should use the CHIPS approach instead, or is there something else I should consider?

Thanks in advance

[johannhof]

Hi @carlos-rodrigo, you should check document.hasStorageAccess() to know whether requests in the iframe will be done with third-party (unpartitioned) cookies attached to it. The permission isn't enough unless you also "activate" storage access by calling document.requestStorageAccess() in the iframe. If hSA returns true but your requests still don't carry cookies that would be weird and it would be helpful to get some example of your code hosted on glitch.com etc. :)

If CHIPS does the job for you then that seems strictly preferable, since it doesn't involve the complicated permission ritual that storage access has for privacy reasons.

Finally, since this seems to be an internal Chrome extension for your enterprise, you could also allow-list the affected site via the chrome.ContentSettings API or Enterprise Policies. Note that this will keep your internal endpoints vulnerable to CSRF and similar attacks beyond third-party cookie deprecation.