Explore cookie partitioning

[krgovind]

EDIT: We published an explainer expanding on this idea: https://github.com/DCtheTall/CHIPS/

---

During the CG meeting today, the topic of partitioning cookies came up.

@annevk mentioned that Firefox is currently experimenting with this. Also see his previous comment.

@johnwilander previously wrote that Safari attempted this change and rolled it back due to a couple of concerns that are broadly relevant:

• Developer confusion
• Multiple sets of cookies increases memory footprint

Both of these issues might be alleviated by using an opt-in model for partitioned cookies.

One potential solution is to have the developer specify a cookie attribute PerPartition (name needs bikeshedding), that is parsed in embedded/third-party contexts:

Set-Cookie: SID=31d4d96e407aad42; Secure; HttpOnly; PerPartition

The browser then stores that cookie in a partition keyed on (top-level-site, embedded-site)

Subsequently, when the browser makes a request to the embedee, it includes a cookie header with only the opted-in cookies and a header to indicate the top-level site:

Cookie: SID=31d4d96e407aad42
Sec-TopLevelSite: https://toplevel.site

Note: The question of whether it is acceptable to expose the first-party to a partitioned third-party is being explored in #14

[johnwilander]

Interesting conversation on this topic happening here: privacycg/storage-access#75

[johannhof]

@annevk did this get resolved with #30? (describing cookies)

[annevk]

Yeah, I think the two meetings and the various proposals in this space kinda settled this really high-level question.