Support for partitioned cookies

[alexcjohnson]

As part of their third-party cookie crackdown, Chrome will start requiring partitioned cookies for content in an iframe at some point in the future. So far only Chrome and derived browsers support this, but according to my testing other browsers accept and ignore the Partitioned attribute, so it should be safe to add.

My current goal is to future-proof a library that serves Dash apps in iframes and requires session cookies, and without built-in support the simplest solution I can find is to monkey-patch werkzeug.sansio.response.dump_cookie 🙈

This functionality is effectively an extension of (and only relevant when) SameSite=None so I could imagine it being implemented as samesite = "None; Partitioned" (in the session cookie context, app.config["SESSION_COOKIE_SAMESITE"] = "None; Partitioned") if you feel a separate attribute (partitioned = True and app.config["SESSION_COOKIE_PARTITIONED"] = True) would be excessive.

[davidism]

Partitioned is a separate Set-Cookie attribute from SameSite, so it would not make sense to combine them.

MDN documentation does not list a specification for this feature yet, only a description of it. Therefore, I'm not clear that this is a standard or that it is time to implement it. MDN documentation is a public repo, so if you have more information about this feature you can make a PR there to add the link to the spec first.

[alexcjohnson]

True, doesn't seem to have a spec, though it's pretty simple. Most of the complexity comes in how it interacts with the other attributes, which I suppose Flask could choose to either restrict or just leave up to users.

It's enabled by default since Chrome 116 after a long trial period so seems unlikely to change, but I don't see that they've stated any particular date to start enforcing it.

[davidism]

The simplicity isn't the issue here, it's the lack of a spec. Maybe it exists, but it's not linked in the documentation I refer to for these things, so that needs to be addressed first.

[davidism]

Hmm, the spec was linked pretty soon after: mdn/browser-compat-data#20959, but the spec is described as "expired draft". This isn't really giving me confidence.

[frankier]

The specification process for this is a bit confusing as implementers have chosen different strategies:

• Chrome has decided to implement opt-in partioning. When strict 3rd party cookies are enabled, they are blocked unless they are flagged as paritioned.
• Firefox implements paritioned by default instead of blocking cross site cookies when strict 3rd party cookies is enabled. They are positive on the partitioned standard.
• Safari initially tried to implement a heuristic approach before giving up and blocking all 3rd party cookies. They are also positive on the standard. The only modification they have suggested is a size limit, which an initial Werkzeug implementation would not need to consider.

What this means in practice is that Chrome supports the standard, and Firefox implements behaviour which interoperates with the standard by ignoring the attribute and implementing the same behavior.

I think this means this would be useful to implement already, since at this point it is very unlikely the spec will change significantly at this point. The fact the standard draft has expired just means that it's more than 6 months old without an update.

[wangadong]

As the phaseout of third party cookies in Chrome is approaching, we would like to implement the CHIPS aka. Partitioned cookie for some iframe usages. I would also love to see that we could support this ASAP so we don't need to hack SameSite to do this.