Chrome is planning to restrict support for 3rd party cookies further starting in 2024. https://developers.google.com/privacy-sandbox/blog/cookie-countdown-2023oct
this means we need to use the CHIPS approach https://developers.google.com/privacy-sandbox/3pcd/chips (in short, 3rd parties cookies will be associated not to 3rd-party domain but a combination of origin and 3rd-party domain to guarantee it can't be used from any other origin) .For browser to support that we need to add Partitioned; attribute to cookies.
My question is that,
is there any demo/sample site that can demonstrates this CHIPS approach in action? and whether my scenario (described below) can still work.
My scenario is that, I have a user logged into two sites (say Site A and B) using OAuth/OpenID Connect (both sites use same OAuth Provider). A Javascript code that is running on a page from Site A makes a fetch call to a REST endpoint on Site B and the necessary cookies are being sent by the browser (using credentials: "include" option in JS fetch). So far everything works fine (note that CORS header is also set in response from site B to allow call from site A) but if I enable the new restriction in my chrome browser then it no longer sends the cookie in JS fetch. I want to know if I can fix this by simply adding Partitioned; property in my set-cookie header or that also I have to pop an iframe of Site B inside the page of Site A for the partitioned cookie to be set picked up by the browser .And is this the only way that I would be able to make JS fetch in this scenario. If that's the case; it looks like a messy solution. and I wonder if there is better approach?
Also is there any chrome extension that allows me to add this property and quickly test my situation (I tried multiple chrome extensions but when I modify the cookie by adding Partitioned property, the cookie disappears !)
The article you provided about CHIPS has a demo included. IMHO, it's well explained and illustrates the use of CHIPS and how the "partitioned cookies" are handled by different browsers and their settings:
https://chips-site-a.glitch.me/
In your case, the Fetch API approach is also subject to third-party cookie policies, and thus will no longer work: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#requests_with_credentials
Requests with credentials
Note: When making credentialed requests to a different domain, third-party cookie policies will still apply.
Third-party cookies
Note that cookies set in CORS responses are subject to normal third-party cookie policies. In the example above, the page is loaded from foo.example but the cookie on line 19 is sent by bar.other, and would thus not be saved if the user's browser is configured to reject all third-party cookies.
I don't think adding the Partitioned
attribute would work because there is no relation to Site A as a top-level site on Site B. CHIPS is therefore most likely the wrong technology for your particular use case.
Your iframe approach would probably work as you expect.
My suggestion is to take a look at other technologies as potential solutions.
The idea and concept of Related Website Sets sounds more suitable for your scenario.
I know this Cookie Manager extension by Rob Wu that claims to be compatible with Chrome (it's just not in the Chrome Web Store, but it's worth a try to load it unpacked into Chrome).
I used it once in Firefox, and it had a working option to add a partition key.