What is cross site tracking?

Cross-site tracking allows companies, advertisers, and data aggregators to create comprehensive profiles of individuals’ online behaviour by aggregating data from various sources.

The primary purpose of cross-site tracking is often for targeted advertising, as it enables advertisers to deliver personalised ads based on a user’s browsing history and interests. While this can enhance the relevancy of advertisements for users, it also raises concerns about privacy and data security.

For example:

1. A user visits https://website-1.example, which embeds content from https://website-3.example. https://website-3.example sets a cookie on the user’s device.
2. The user visits https://website-2.example, which also embeds https://website-3.example. This new instance of https://website-3.example is still able to access the cookie set when the user was on the previous page.

This works because cookies are currently stored with a key based on the host or domain name of the site that set them, aka the host key. In the above case the cookie would be stored with a key of ("website-3.example").

How does CHIPS work?

Browsers with CHIPS support introduce a novel attribute for the Set-Cookie HTTP header: “Partitioned.” When this attribute is enabled, site owners can opt in to utilizing CHIPS.

Revisiting the example we described in the previous section:

1. A user visits https://website-1.example, which embeds content from https://website-3.example. https://website-3.example sets a cookie on the user’s device using Partitioned, meaning that the site owner opts in to CHIPS.
2. The storage key for the cookie would now be {("https://website-1.example"), ("website-3.example")}.
3. When the user visits https://website-2.example, which also embeds https://website-3.example, this new embedded instance is no longer able to access the cookie because the partition key doesn’t match.

Which website will enforce chips….a.com or third party?

Browser:

• The browser, such as Chrome or Firefox, is responsible for enforcing CHIPS and ensuring cookies are stored in separate partitions based on the website they originated from. This prevents unauthorized cross-site sharing of information.

Chrome and other browsers play a crucial role in enforcing CHIPS and ensuring cookies with partitioned state work correctly, the initial setting for partitions actually happens at the website level within the code used to set cookies.

Here’s the breakdown:

1. Website Code: When a website wants to set a cookie, they use code (often involving libraries or frameworks) that includes specifying attributes like name, value, expiration time, and Partitioned.
2. Partitioned Attribute: This attribute, introduced with CHIPS, indicates that the cookie should be stored in a separate “partition” for that specific website within the user’s browser.
3. Browser Enforcement: When the browser receives the cookie with the Partitioned attribute, it ensures it’s stored and accessed separately from cookies from other websites, even if they originate from the same domain.

So basically main website will have to say that I want partition enabled so that any third party website isnt able to access cookie set inside a.com at other website say b.com

That’s partially correct, but the process is a little more nuanced. Here’s a breakdown:

Enabling Partitioning:

• The main website (a.com) doesn’t have an explicit setting to “enable partitioning” for all third-party content. The responsibility primarily lies with the third-party service (b.com) who sets the ads or chat box.
• However, a.com can play a role in promoting CHIPS-compliant third-party providers. They can choose partners who actively implement CHIPS and set partitioned cookies correctly.

Third-Party Responsibility:

• The third-party service (b.com) needs to ensure their code uses the Partitioned attribute when setting cookies on a.com. This separates their cookie data from a.com’s own cookies within the browser.
• If b.com doesn’t implement CHIPS, their cookie on a.com could still be accessible to them, potentially containing information about your activity on a.com.

Browser Enforcement:

• Ultimately, the browser enforces the partitioning. When a cookie with the Partitioned attribute arrives, the browser stores it in a separate “partition” specifically for b.com, preventing a.com from accessing it directly.

How Partitioning Works (Example):

1. Main Website: Let’s say you visit www.newssite.com.
2. Embedded Content: www.newssite.com embeds an advertisement iframe from www.adprovider.com.
3. Cookie Set: www.adprovider.com, when embedded in www.newssite.com, sets a cookie. It includes the Partitioned attribute in the Set-Cookie header.
4. Browser Partitioning: Your browser recognizes that the cookie originates from a third-party context (www.adprovider.com) that’s different from the top-level site (www.newssite.com). It automatically partitions that cookie by the top-level site context.
5. Later Visit: You visit another website, www.shoppingsite.com, which also includes an ad from www.adprovider.com. Because the cookie was partitioned, the browser won’t send the cookie from www.newssite.com‘s partition to the ad provider on the www.shoppingsite.com domain.