How to handle upcoming third-party cookie block in Electron app?

Question

I manage an Electron application where authorization is provided by a JWT cookie set from my server and have recently noticed the Reading cookie in cross-site context will be blocked in future Chrome versions.

The explanation makes sense: Cookies with the SameSite=None; Secure and not Partitioned attributes that operate in cross-site contexts are third-party cookies. In future Chrome versions, reading third-party cookies will be blocked. This behavior protects user data from cross-site tracking. and Google provides the following article for more info: https://developers.google.com/privacy-sandbox/3pcd, however it does not mention the use of cookies in Chromium/Electron.

The only cookies in use are set by my back end server. If my code were a webpage, it'd be fine, but because Chromium is running in my Electron app, is it true that any and all cookes will be cross-site?

What strategies should we be considering to handle this for the near future?

Thanks in advance Stack Overflow community.

Answer 1

Native apps don't use cookies to call APIs. They use access tokens and follow best practices from RFC 8252. You need to design backend entry points that allow your desktop app to receive and send access tokens.

Cookies in the Chromium browser in a desktop app will always be considered third-party. The behaviors from the RFC6265bis document are then likely to be applied:

• The site for cookies calculation classifies the cookie as third-party
• The browser refuses to send the cookie on API requests

The spec allows for some third-party cookie exemptions. Eg browsers can send SameSite=none cookies to authentication systems when an entire window is redirected in a way that is visible to the user. This does not include API requests though.

I cannot give you a definitive answer on Google's exact behaviors, some of which could be internal and undocumented. It is likely to follow the spec though.