[bochoh]

> Not all cookies are used for tracking. No, but third-party cookies are basically used for tracking. A legitimate site does not depend on a third-party cookie to handle features or login. At all, full stop no ifs, ands, or buts.

I'd point out that in the case of DocuSign signing sessions powered by iframes that without being able to set this third party cookie prevents the session from loading. Probably the only use case of a third party cookie being useful that I can think of.

[pas]

Aren't the site in the iframe uses its own cookie? (So it doesn't count as 3rd party, no?)

[nevon]

That's not how it works. Even if you're setting the cookie on your own domain, if you're embedding your site in an iframe on a different domain, you won't be able to read your own cookies from within the iframe after this change.

[pas]

Oh! Could you show the relevant post/source from webkit for this?

After reading the webkit blog post on ITP I had no idea they changed this, but yeah, they are probably going to anyway if haven't yet. Otherwise it'd be too easy game this.

[nevon]

Well, that's how cookies in iframes have always worked. The only difference is that these changes explained in the blog post you mentioned means that since you never interact with the domain in a first-party context, you won't be able to read the cookies while in a third-party context. See the heading "Actions Taken After Classification" in https://webkit.org/blog/7675/intelligent-tracking-prevention...