Google blocking 3rd party cookies effect on Cloudflare JS Challenge

Google Chrome is picking users at random and blocking 3rd party cookies to see if they affect a website. They say that just 1% of users are randomly chosen for this test.
I ran into this when I accessed a page that I have a JS Challenge on and Chrome warned me that it had blocked a 3rd party cookie. It didn’t seem to affect the JS Challenge from working.
But I’m wondering if this could be an issue in the future.

Wonder if there is any article about this available to read? Could you share some?

Is that an individual act, rather a setting which you’ve configured under the Settings of Google Chrome, or it came “as default”? :thinking:

I’ve tried to replicate this with a test page where my WAF rule is set to JS Challenge on my Chrome with a desktop PC, however it couldn’t get this warning message or a pop-up.

I am not aware, however cannot say in sure due to Google’s policy and don’t know what would happend to the cookies in future as well.

Here is web page on developers.google.com about Google’s plan to block 3rd party cookies by the middle of 2024
https://developers.google.com/privacy-sandbox/3pcd

On that page it says:

To facilitate testing, Chrome has restricted third-party cookies by default for 1% of users. During this testing period, it is important for sites and services to start preparing for third-party cookie restrictions, including moving to more private alternatives.

What happened to me is that one time when I was using Chrome and I went to one of my pages where I have a JS Challenge, I got a warning from Chrome that the page I was wanting to look at had a 3rd party cookie which Chrome blocked.

It only happened once. It hasn’t happened since. I’m just concerned that when Chrome blocks all 3rd party cookies for all users, that using JS Challenge on any page may result in Chrome warning that the page has a 3rd party cookie.

Reasonable concern :+1:

However, as far as I’ve tested myself individually on one of my Websites using Cloudflare, the Captcha or Javascript challenge result uses cf_clearance cookie, which scope is 3rd-party cookie and is categorized as Functional cookie, uses SameSite=none → this is on normal webpage where JS Challenge is not presented (rather only to store data).
Also there is __cf_bm (Bot Management) cokie with same scope and category also SameSite=none, possibly more of them as per docs stated from link below (Load Balancer, etc.).

Despite not Cloudflare related, wonder what I don’t know, Google Analytics also is the same, 3rd-party, what would then happen to it and traffic analytics for many of their customers?

As per the Docs from the link you’ve shared, I’ve installed and went to audit and also enabled the experimental feature on my Google Chrome to see what happens.
Restarted chrome and the pop-up showed.

slika

Aftermath, the testing results for my case were:
a) Google AdSense ads aren’t showing up
b) The ads served from a sub-domain via Revive AdServer (ex OpenX) aren’t showing up
c) Google Analytics doesn’t track my pageview and visit anymore
d) I have got the WAF Rule with the old “JS Challenge” method (I should switch and use Managed Challenge instead) on a test page (let’s say that’s a login form) and it is working as expected, the cf_clearance cookie is First Party
e) Cloudflare Turnstile on a form is working as expected (no cookies found)
f) A widget for comments (Disqus) sometimes doesn’t show up

Regarding Cloudflare cookies, I believe Cloudflare team would follow up in the meantime and is already tracking those upcoming changes. Therefore, would publish a blog post about it in the meantime, if already not, and implement a solution for it if needed.

Nevertheless, I would love to know if everyone will adopt and change things to Google’s :poop: they’re kind of trying to impose on all of us and rule the Internet.

I have JS Challenge on three of my pages, My Account, Checkout, and Add to Cart links. And the JS Challenge does put cookies from https://challenges.cloudflare.com.
Google does talk about Related Website Sets you can create where you explain what 3rd party cookies are acceptable on your site.
https://developers.google.com/privacy-sandbox/3pcd/related-website-sets
It looks like you would list your related websites at /.well-known/related-website-set.json
Since I don’t see much discussion about Google’s plans on blocking 3rd party cookies, I wonder if they will actually try to enforce it. It could break a lot of things.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.