HttpFixerBlogHeaders → Third-Party Cookie Deprecation 2026
Cookies

Google's Third-Party Cookie U-Turn: What Developers Need to Know in 2026

Updated April 2026

Audit your Set-Cookie headers for CHIPS compliance. Cookie Partitioning Auditor →

Google cancelled third-party cookie deprecation in July 2024. If you stopped preparing, you stopped too early. Safari has blocked third-party cookies since 2017. Firefox blocks them by default since 2022. The problem didn't go away — Chrome just didn't join yet.

What actually happened

DateEvent
Jan 2020Google announces Chrome will deprecate third-party cookies by 2022
Jun 2021Deadline moved to late 2023
Jul 2022Deadline moved to H2 2024
Jan 2024Chrome restricts third-party cookies for 1% of users for testing
Apr 2024Full deprecation delayed again — CMA regulatory concerns
Jul 22, 2024Google reverses course entirely — no deprecation. User-choice model instead.
2026Third-party cookies still work in Chrome. Safari + Firefox still block them.
Chrome status (2026): Third-party cookies are NOT deprecated in Chrome. Google introduced a user-choice model — users can opt in or out of cross-site tracking. Most users have not changed the default, so third-party cookies still work for most Chrome users.

What didn't change — Safari and Firefox

BrowserThird-party cookie statusSince
SafariBlocked by default (ITP)Safari 13.1 — March 2020
FirefoxBlocked by default (Total Cookie Protection)Firefox 86 — February 2021
ChromeStill works (user-choice model)Reversed July 2024
EdgeStill works (follows Chrome)

Safari has ~19% global browser market share. Firefox has ~4%. That's roughly 1 in 4 users where your cross-site cookies are already failing — silently, with no error in your logs.

The quiet problem: Cross-site cookie failures don't show up in your server logs. The request is made, but the cookie isn't sent. Users see broken embeds, failed auth flows, or missing preferences with no visible error. You only find out when a user reports it.

What Chrome 118+ changed (regardless of deprecation)

Even though Google didn't deprecate third-party cookies, Chrome 118 (October 2023) still enforced a change: SameSite=None cookies in third-party context now require the Partitioned attribute to work reliably.

# Before Chrome 118 — worked in third-party context
Set-Cookie: session=abc; SameSite=None; Secure

# After Chrome 118 — requires Partitioned for reliable third-party access
Set-Cookie: session=abc; SameSite=None; Secure; Partitioned

This is CHIPS — Cookies Having Independent Partitioned State. It's separate from deprecation. It's about how cookies are scoped when shared cross-site.

What developers actually need to do in 2026

1. Audit your cross-site cookies

Find every Set-Cookie header on your responses that uses SameSite=None. These are the cookies that need to work in third-party context.

# Check your Set-Cookie headers
curl -sI https://your-domain.com | grep -i "set-cookie"

# Or use the Cookie Partitioning Auditor:
# httpfixer.dev/cookies/

2. Add Partitioned to SameSite=None cookies

# Before — blocked in Safari, Firefox, and potentially Chrome
Set-Cookie: embed_session=abc; SameSite=None; Secure; Path=/

# After — works in all browsers that support CHIPS
Set-Cookie: embed_session=abc; SameSite=None; Secure; Partitioned; Path=/

3. Separate first-party from third-party cookies

Not all cookies need Partitioned. Only cookies that need to work when your domain is embedded in another site's context. First-party cookies (your own domain, your own users) are unaffected.

Cookie typeAction needed
Session cookie on your own domainNone — first-party, unaffected
Cookie set by embedded widgetAdd Partitioned
Cross-site auth cookie (SSO)Add Partitioned or use Storage Access API
Analytics/tracking cookieAdd Partitioned — or reconsider if needed
Preference cookie (same domain)None — first-party, unaffected

The Storage Access API — for Safari

For embedded iframes that need access to first-party cookies (not just partitioned cross-site cookies), the Storage Access API lets you request user permission:

// Inside your iframe — request storage access
// Required for Safari ITP compatibility in some embed scenarios
async function requestCookieAccess() {
  try {
    await document.requestStorageAccess();
    // Access granted — cookies now sent with requests
    console.log('Storage access granted');
  } catch (err) {
    // Denied or not supported — fall back to postMessage
    console.log('Storage access denied:', err);
  }
}

// Check if access is already granted (Safari 16.1+)
const hasAccess = await document.hasStorageAccess();
if (!hasAccess) {
  await requestCookieAccess();
}

What the Privacy Sandbox means for developers

Google's Privacy Sandbox APIs (Topics, Protected Audience, Attribution Reporting) are still available and being developed. They're primarily relevant for advertising use cases, not session management or auth.

For most web developers — not ad-tech — the Privacy Sandbox APIs are not relevant. The relevant changes are:

Quick checklist — 2026 cookie audit

# 1. Find SameSite=None cookies without Partitioned
curl -sI https://your-domain.com | grep -i "samesite=none" | grep -iv "partitioned"

# 2. Test in Safari (use Safari or WebKit simulator)
# Cross-site cookie failures are silent — check Application tab in DevTools

# 3. Check for missing Secure flag (required with SameSite=None)
# SameSite=None without Secure is rejected by all modern browsers

# 4. Automated audit:
# httpfixer.dev/cookies/ — paste your URL, get flagged cookies + fix per stack
Audit your cookies → Cookie Partitioning Auditor
Related: SameSite=None without Partitioned — fix Safari ITP fix Chrome cookie fix CHIPS complete guide SameSite in iframes Cookie Partitioning Auditor
Audit your Set-Cookie headers for CHIPS compliance → Cookie Partitioning Auditor