How Cookies Are Shaping the Future: Exploring the Concept of Cookies Having Independent Partitioned State (CHIPS)
Cookies Having Independent Partitioned State (CHIPS), also known as Partitioned cookies, enable developers to designate a cookie for partitioned storage, creating a distinct cookie jar for each top-level site.
What is cross site tracking?
Cross-site tracking allows companies, advertisers, and data aggregators to create comprehensive profiles of individuals’ online behaviour by aggregating data from various sources.
The primary purpose of cross-site tracking is often for targeted advertising, as it enables advertisers to deliver personalised ads based on a user’s browsing history and interests. While this can enhance the relevancy of advertisements for users, it also raises concerns about privacy and data security. Many users are concerned about the potential misuse of their personal information, leading to debates and regulations aimed at protecting online privacy, such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States.
For example:
- A user visits
https://website-1.example, which embeds content fromhttps://website-3.example.https://website-3.examplesets a cookie on the user's device. - The user visits
https://website-2.example, which also embedshttps://website-3.example. This new instance ofhttps://website-3.exampleis still able to access the cookie set when the user was on the previous page.
This works because cookies are currently stored with a key based on the host or domain name of the site that set them, aka the host key. In the above case the cookie would be stored with a key of ("website-3.example").
Web browsers have implemented various features and technologies to mitigate cross-site tracking, including cookie restrictions, tracking prevention, and privacy-focused settings, allowing users more control over their online privacy.
How does CHIPS work?
Browsers with CHIPS support introduce a novel attribute for the Set-Cookie HTTP header: “Partitioned.” When this attribute is enabled, site owners can opt in to utilizing CHIPS.
Set-Cookie: __Host-example=34d8g; SameSite=None; Secure; Path=/; Partitioned;When “Partitioned” is enabled, the cookie is stored utilizing two keys: the host key and a newly introduced partition key. This partition key is determined based on the scheme and eTLD+1 of the top-level URL that the browser was accessing when the request was sent to the URL endpoint responsible for setting the cookie.
Revisiting the example we described in the previous section:
- A user visits
https://website-1.example, which embeds content fromhttps://website-3.example.https://website-3.examplesets a cookie on the user's device usingPartitioned, meaning that the site owner opts in to CHIPS. - The storage key for the cookie would now be
{("https://website-1.example"), ("website-3.example")}. - When the user visits
https://website-2.example, which also embedshttps://website-3.example, this new embedded instance is no longer able to access the cookie because the partition key doesn't match.
Browser compatibility
CHIPS Cookies — Introduced in Symfony 6.4
Symfony 6.4 / 7 supports CHIPS cookies in the HttpFoundation component. In practice, cookies now include a partitioned flag that you can set when creating them:
use Symfony\Component\HttpFoundation\Cookie;
$cookie = new Cookie('cookie-name', 'cookie-value', '...', partitioned: true);
// or:
$cookie = Cookie::fromString('cookie-name=cookie-value; ...; Partitioned;');
// or:
$cookie = ...
$cookie->withPartitioned();And you can also check if a cookie is a CHIPS cookie with this new method:
$isPartitioned = $cookie->isPartitioned();As you delve further into the world of CHIPS and its benefits, I encourage you to explore the detailed documentation available.
Thank you for taking the time to read this blog, and I trust that the insights shared here will empower you in your web development journey, enhancing security and performance along the way.
