[jakelazaroff]

Sure it can. Samesite cookies will prevent e.g. Google Analytics from identifying me between domains, since any samesite cookies they set for the domain from which they’re serving their script/pixel won’t be sent. (Presumably tracking prevention will eventually start to block cookies with samesite disabled).

[michaelt]

Browsers have offered a "block third party cookies" setting for decades.

I'm honestly surprised none of the major browsers block third party cookies by default, it's much simpler XSRF protection than this as it doesn't rely on site developers updating and setting the new flag right.

Of course, two sites that seriously want to collaborate on user tracking (or login) can always forward the user’s whole browser window there and back, with URL parameters to synchronise first party cookies.

[bawolff]

> as it doesn't rely on site developers updating and setting the new flag right.

Chrome is enabling this flag by default. Websites can opt out, but if they do nothing they are opted in.

Blocking third party cookies doesnt really stop csrf attacks. At most it makes the attack a bit more noticeable as it prevents some of the quieter methods of pulling off the attack. Since as far as i understand, if you submit a cross-domain POST form, that's still a first party cookie

[Buge]

> (Presumably tracking prevention will eventually start to block cookies with samesite disabled).

This means the privacy advantage doesn't really come now, it instead comes at some hypothetical point in the future.