References

• Third-party Cookie Phaseout: Prepare for phasing out third-party cookies  |  Privacy Sandbox  |  Google for Developers
• Partitioned Cookies (CHIPS) Cookies Having Independent Partitioned State (CHIPS)  |  Privacy Sandbox  |  Google for Developers

Glossary

• Cookie: data stored in the web browser, typically used to store some critical information about the user session. It is vital to most websites’ functions. Cookies are also used for tracking/ads/metric collections, etc.
• Inline Frame (iFrame): a common method for a website to embed other websites as a mean of embedding contents. In the picture below, maps.site is considered to be within an iFrame inside travel.site.
• Top-level site: the website that is hosting other website(s) in iFrames. In the picture below, travel.site is the top-level site.
• Third-party cookie: cookies that do not have the same origin as the website that is trying to access the cookie. In the picture below, a cookie from a maps.site origin would be considered third-party to travel.site.

Image taken from Chrome article on Third-Party Cookie Phaseout

• Online banking platform: the application that customers of financial institution uses to access all of their banking information
• eStatement site: this is referring to the application, hosted by InfoIMAGE, where users go to access their statements online

Overview

In an effort to protect user privacy, Chrome has decided to phase out third-party cookies. The reason why Chrome is doing this is in an effort to protect user privacy. It is to prevent tracking/ads across different websites. The InfoIMAGE eStatement site is affected, because it is sometimes placed inside an iFrame within the online banking platform. Due to this, the eStatement site is put under the same restrictions.

The rollout is scheduled to be late Q3 2024. However, Chrome is also doing a partial rollout to 1% of all Chrome users starting in January. Some banking customers will inadvertently be affected. This is why actions have to be taken as soon as possible.

Furthermore, Chrome is one of the industry leader. Other web browsers will most likely follow suite with this update. Firefox and Safari already have implemented stricter restrictions on third-party cookie by default. We have to address this before major disruption occur for the end users. Web browsers, in their effort to protect user privacy, will not want to have workarounds available for advertisement and tracking applications to exploit. To try and figure out a workaround is to actively fight against industry standards. It is a losing battle. Anything we can exploit now will eventually be patched out in the future.

How does this impact the eStatement Site?

• Without any action taken, the eStatement site will no longer work inside an iFrame. The eStatement site requires cookies and/or other web storage to be functional. The cookies are used for security purposes to validating the user is who they are, and to prevent an electronic document from being accessed by anyone other than the intended user.
• In order to get the eStatement Site to work within an iFrame, significant development will be required to change how the website behave when being hosted inside an iFrame.

Reproducing the Issue

Clients can test this out now by enabling experimental feature on chrome.

1. Access Chrome flags by entering “chrome://flags” in the URL bar
2. Enable the feature “Test Third Party Cookie Phaseout”
3. Restart Chrome
4. Now, the user can log into online banking to test eStatement and review any breakage in function.

Solutions

This section will go through all possible solutions, and their feasibility.

Move away from Cookies

One solution is to move away from cookies altogether, and implement token-based authentication. Many of our applications are already using some form of token-based authentication. The issue with this is that it will introduce risk to user’s data. Without session data stored in a cookie, there is no way to do authentication, and the URL to view statements will be accessible by anyone on the Internet.

We can make the URL short-lived, and have the URL contains long random strings of characters such that a brute force attack is impossible. At this point, the only way for a bad actor to access the URL is if they already had access to the device.

Short-lived statement URL will also introduce a conflict between user experience and security. How short should the time limit be to be secure enough, but not impact the user’s ability to view her statements?

Furthermore, there is still the use case of users who, against better judgment, access their banking information on a public device. The URLs are retained in the web browser’s history. The statements are still accessible within the time limit assigned.

Research has been done into three of the five largest banks in the US. They are all still using some combination of web browser storage. It is an indication that cookies and web storage are vital to user authentication and authorization. The technical constraint is industry-wide in the web browser technology space.

• Feasibility: Not feasible
• Complexity: N/A

Move away from using an iFrame

By default, websites hosted inside iFrames will break due to the increased restrictions from web browsers, targetted at tracking and advertisements. Moving away from iFrame will lift all of those restrictions from the eStatement Site, and safeguard the eStatement site from future restrictions.

• Feasibility: feasible
• Complexity: simple

Stay within iFrame, use CHIPS, and redesign Statement Viewing UI/UX

Chrome provided several solutions to address the third-party cookie phase out. Many of them are complex and are meant to be used for tracking/impression/advertisements/metric collections across multiple websites–think targetted ads. Because InfoIMAGE does not perform any of the listed actions, the most feasible solution would be to use partitioned cookies. Partitioned cookies allow the eStatement site to save cookies, which are functionally critical.

Partitioned cookies are explained very well in this article: Cookies Having Independent Partitioned State (CHIPS)  |  Privacy Sandbox  |  Google for Developers.

With how the eStatement website is functioning right now, using partitioned cookies, which is a requirement for the website to work inside an iFrame, will result in this situation.

Image taken from Chrome article on CHIPS

A is the online banking website. C would be the eStatement site. When still inside the iFrame, the website would work fine. The cases where the eStatement site would open in a new tab would be when a user attempt to view their statements or check images. At that point in time, the new tab cannot access session data to validate the user, and ergo, the user will not be able to view their statements.

There is no viable solution to fix the user’s ability to view statements in a new tab. This is due to the aforementioned requirement for cookies as a mean of authentication and authorization. The statements must be opened within the iFrame.

• Feasibility: feasible
• Complexity: medium

Temporary Solutions

If actions cannot be taken quickly enough to meet the 1% partial rollout in January, here are workarounds:

1. For the users who happen to be within the 1%, they can optout. What they will see and how they can opt-out is detailed in this article: The next step toward phasing out third-party cookies in Chrome
2. If the user does not want to opt-out, then they have to use another browser like Firefox. That said, Firefox and Safari have implemented their own restrictions on third-party cookies. Users will have to update their Firefox/Safari settings.
   • For Firefox, the user will need to lax restriction on Cookies down to “Cross-site tracking cookies” only.

3. The top-level site, i.e. the online banking platform, can opt-out of this 1% partial rollout. This is outside the control of InfoIMAGE.