CHIPS — Partitioned Cookies After Third-Party Cookie Death
Updated April 2026
Chrome removed third-party cookies in 2026. If you run a widget, payment iframe, or embedded service that relied on cookies across sites, your users are now seeing broken sessions. CHIPS is the correct replacement — not a workaround, but the actual spec.
What changed and why it broke your embed
Before Chrome 2026, if you embedded your widget on customer.com, your widget's JavaScript could set and read cookies on your domain (widget.yourapp.com) across any site. Chrome's third-party cookie removal cut this off. Cookies set without the Partitioned attribute are blocked in cross-site contexts.
The fix — add the Partitioned attribute
# Before (stopped working in Chrome 2026) Set-Cookie: session=abc123; SameSite=None; Secure # After — with Partitioned (CHIPS) Set-Cookie: session=abc123; SameSite=None; Secure; Partitioned
That one word is the entire fix for most embedded services. The cookie now works in cross-site iframes again — but the storage is isolated per top-level site.
What "partitioned" actually means
Without Partitioned, your cookie is shared across all sites where your widget is embedded. With Partitioned, each top-level site gets its own isolated copy of your cookie. A user who sees your widget on shop-a.com and shop-b.com will have two separate sessions — the sites cannot share cookie state.
# User visits shop-a.com which embeds your widget Set-Cookie: widget_session=abc; SameSite=None; Secure; Partitioned # Cookie key: (widget.yourapp.com, shop-a.com) # User visits shop-b.com which also embeds your widget # A DIFFERENT cookie is created: # Cookie key: (widget.yourapp.com, shop-b.com)
Setting Partitioned cookies in your backend
Express / Node.js
res.setHeader("Set-Cookie", "widget_session=abc123; SameSite=None; Secure; Partitioned; Path=/; Max-Age=86400");
FastAPI / Python
# FastAPI does not have a native Partitioned parameter yet # Set the header manually response.headers["Set-Cookie"] = ( "widget_session=abc123; SameSite=None; Secure; Partitioned; Path=/; Max-Age=86400" )
Nginx (for a reverse proxy setting cookies)
add_header Set-Cookie "widget_session=abc123; SameSite=None; Secure; Partitioned; Path=/; Max-Age=86400" always;
Check if Partitioned is working
Open your embedded widget in a cross-site iframe. Go to DevTools → Application → Cookies → your domain. You should see a "Partitioned" icon or indicator next to the cookie. If the cookie is absent entirely, the Partitioned attribute is not being sent correctly.
What if you need cross-site session sharing?
Partitioned cookies deliberately prevent cross-site sharing. If your use case genuinely requires knowing a user is the same person across different embed sites, you need a different approach: server-side session management with user authentication, not cookies. The era of stateful cross-site cookies is over.
Browser support
| Browser | CHIPS support | Notes |
|---|---|---|
| Chrome 114+ | Full | Required for cross-site iframes |
| Edge 114+ | Full | Same as Chrome |
| Firefox | Partial | Firefox has its own cookie partitioning (Total Cookie Protection) — Partitioned attribute supported |
| Safari | Partial | Safari already partitions by default via ITP — Partitioned attribute accepted |