Support for Partitioned cookie attribute

[flavio-b]

From the middle of 2024 onwards, Chrome will start requiring the use of a Partitioned attribute when an embedded site wants to set a cookie (source).

This attribute is still listed as an experimental feature on MDN, but it might be useful to be able to set this attribute now.

From what I gather, it seems like what's needed is a change to Rack::Utils#set_cookie_header to accommodate a new option.

Use case: An embedded Rails app that needs to set a cookie for basic session and flash messages.

Are there any plans to support this option? Or is it too early?

Warning message from Chrome:

[ioquatix]

Thanks for bringing this to our attention. It seems reasonable to me. Do you want to make a PR?

[flavio-b]

Sure! Just submitted #2131

The PR raises an error if the secure attribute is not also set alongside partitioned. This requirement is mentioned in the Chrome docs and the official proposal . Requirements about other attributes is not very clear or doesn't appear set in stone, so I thought it would be good to just enforce the secure one.

[hao-atob]

Thanks for doing that, @flavio-b.

We have similar request and wondering the timeline for the next release, and if any plan to backport this to previous release (we are still on Rack 2)

[jeremyevans]

I don't think we should backport this to either Rack 3.0 or 2.2. We should only be backporting security fixes to Rack 2.2, and only bug and security fixes to Rack 3.0. However, other committers may feel differently.

[ioquatix]

Pragmatically speaking, I'd be willing to entertain back-porting this to 3.0, but I basically agree with Jeremy, we should probably try to follow a more predictable model where possible, i.e. only back-port security fixes. Now that Rails 7.1 is released, I think we can start moving towards a Rack 3.1 release. So, maybe that's something we can focus on so this feature is released sooner rather than later.

[lssachin]

We do have the same issue, and chrome is going to deprecate third-party cookies for 1% of Chrome users globally starting Q1 2024

https://privacysandbox.com/open-web/#the-privacy-sandbox-timeline
https://developers.google.com/privacy-sandbox/3pcd

[ioquatix]

@jeremyevans what would you like to do here?

[jeremyevans]

I think we should merge this. However, as it is a new feature and not a bug fix, I don't think we should backport it.

[flavio-b]

@jeremyevans, #2131 has been merged. Are you able to do a 3.1 release as @ioquatix suggested?

[jeremyevans]

I am not. I'm on the rack core team, but I'm not an owner of the rack gem. The core team needs to review other existing pull requests before deciding which to merge before 3.1.

[cilim]

@jeremyevans any news about this?

[ioquatix]

We are aiming to do a 3.1 release within the next two months.

[jorgembfigueira]

We are aiming to do a 3.1 release within the next two months.

The absence of support for the Partitioned cookie attribute poses significant security risks and could lead to compliance issues. Can we prioritize its release to mitigate these risks ASAP?

[edrd-f]

Chrome is phasing out third-party cookies and since Q1 this year, for 1% of the users they're already being blocked.
Given this is already impacting users and partitioned cookies are the drop-in solution, it would be great if this could could be released soon 🙏

[phsultan]

As a workaround for earlier versions of rack where this won't be backported, it looks possible to add the Partitioned attribute to SameSite=None cookies.

$ cat ./config/initializers/partitioned_cookies.rb
# frozen_string_literal: true

class PartitionedCookies
  def initialize(app)
    @app = app
  end

  def call(env)
    status, headers, body = @app.call(env)

    set_cookie_header = headers["Set-Cookie"]

    if set_cookie_header && set_cookie_header =~ /SameSite=None/
      headers["Set-Cookie"].gsub!("SameSite=None", "SameSite=None; Partitioned;")
    end

    [status, headers, body]
  end
end

Rails.application.config.middleware.insert_before(ActionDispatch::Cookies, PartitionedCookies)

Inspired from this post. Hope this helps!