Chrome has proposed a new experience that would let users choose how third-party cookies are handled as they browse. Sites and services may need to detect whether or not third-party cookies are available in a given context. Chrome has two primary methods for detecting access to third-party cookies for embedded content: using the hasStorageAccess JavaScript method and observing Sec-Fetch-Storage-Access headers.
Privacy Sandbox introduced APIs that may grant specific frames access to third-party cookies if certain conditions are met. Therefore, it's important to be able to detect access to unpartitioned cookies on a per-embed basis.
Detect access to third-party cookies in iframes
When an iframe's content is hosted on a site that's different from the one displayed in the user's address bar, it is considered cross-site and may have third-party cookies restricted. The iframe can detect if it currently has access to third-party cookies, by calling await document.hasStorageAccess(). This method returns true or false, depending on whether or not the frame has access to unpartitioned cookies.
If your iframe makes use of the Storage Access API (SAA) to gain access to unpartitioned cross-site cookies (using SAA by itself or with Related Website Sets), you can check the storage-access permission to determine whether or not the frame can opt in to accessing unpartitioned cookies.
Detect access to third-party cookies in HTTP requests
From Chrome 133, the header Sec-Fetch-Storage-Access is sent with credentialed requests to let the server know whether or not its calling context has access to unpartitioned cookies. This header contains one of three values:
none: The embed does not have access to unpartitioned cookiesinactive: The embed has permission to access unpartitioned cookies but has not activated itactive: The embed has access to unpartitioned cookies
Conditions that grant embeds access to unpartitioned cookies
Access to unpartitioned third-party cookies can be granted in a number of ways to support cases where these cookies provide necessary functionality. The following methods result in unpartitioned cookie access being granted. In several cases, requestStorageAccess() or requestStorageAccessFor() must be called before access is granted.
| Method | Example | Must call requestStorageAccess? |
|---|---|---|
| Storage Access API prompt | User is prompted to allow storage access and selects "Allow". | Yes |
| Federated Credential Management | User logs in with a federated identity provider (IdP); the IdP's frame requests storage access. | Yes |
| Related Website Sets | The embed and the embedder belong to the same RWS. | Yes |
| 3PCs enabled in user settings | User chooses to allow 3PCs for all of their browsing or for just a specific origin. | No |
| Heuristics-based exceptions | Chrome detects a heuristic pattern and automatically grants access to unpartitioned cookies. A call to requestStorageAccess() is not required. |
No |
| Temporary exceptions (for example, grace period) | The site or service has enrolled in a temporary Chrome exception as they transition to a more durable solution. | No |
| Enterprise policies | A company's Chrome Enterprise administrator has chosen to allow 3PCs on some or all traffic. | No |