Third party cookies must be removed

Original Article ↗ Hacker News Discussion ↗

Use cases, breakage, and “do we need a replacement?”

  • Many commenters say they’ve blocked third‑party cookies (3PCs) for years with no practical issues; a few only see minor breakage (e.g. some embedded videos).
  • Others report real breakage, especially for cross‑domain embeds that need ambient login: LMS platforms embedding tools, SSO flows, embedded iframes that need to know who you are but can’t trust the parent domain.
  • There’s debate over whether these are “regular human” needs or niche corporate/education cases, but they’re acknowledged as genuine use cases.
  • Workarounds like OAuth, server‑to‑server calls, CORS, or Storage Access API exist but are criticized as much more complex and costly to integrate.

Advertising, business models, and Google/Chrome

  • One camp: 3PCs are mainly for ad tracking; if ad networks suffer, that’s not a user problem.
  • Another: users will lose “free” ad‑funded services they like; replacement funding models are hard.
  • Several note that Google could track fine without 3PCs, so removal hurts competitors more; this is tied to antitrust scrutiny and regulators requiring “replacement” solutions to preserve competition.
  • Chrome’s decision not to fully remove 3PCs is seen by some as protecting ad rivals, by others as capitulating to adtech pressure.

Privacy, fingerprinting, and JavaScript

  • Strong concern that removing 3PCs will push sites toward more aggressive fingerprinting and server‑side profiling, which are harder to see or block.
  • Others argue fingerprinting is already widespread; removing 3PCs is still a net win and lets standards/browsers focus on fingerprinting next.
  • Some believe technical fixes are limited as long as JS can run arbitrary code; others propose strict network restrictions, taint/“poisoning” models, or heavily locked‑down JS profiles.
  • There’s significant support for legal approaches (GDPR‑like bans on fingerprinting, criminalizing data hoarding), though skepticism about enforcement also appears.

Standards bodies and “privacy‑preserving” replacements

  • The W3C document is criticized as disorganized, politically influenced by adtech members, and more about keeping tracking viable than truly protecting privacy.
  • “Privacy‑preserving attribution” and Google’s Privacy Sandbox are seen by many as rebranded tracking, likely to coexist with 3PCs rather than replace them.

Workarounds and alternative designs

  • Commenters outline ways to re‑create cross‑site tracking with first‑party cookies, redirects, proxying through subdomains, server‑to‑server APIs, and fingerprinting.
  • Some propose more radical changes: client certificates instead of cookies, DNS or “first‑party sets” declarations for related domains, stricter state partitioning, or even a UI distinction between low‑risk “documents” (no JS) and high‑risk “apps.”

User practices and attitudes

  • Many already block 3PCs, use Firefox/Brave with extensions, or disable JS by default; they report mostly tolerable friction.
  • Others think privacy is effectively impossible online and focus on using pseudonymous identities instead of trying to avoid tracking entirely.