For years, third-party cookies have been the silent enablers of cross-site tracking, allowing services to monitor user activity across unrelated websites through embedded content like ads or widgets. This practice sparked privacy debates and led browsers to plan their eventual deprecation. But what about legitimate uses—such as maintaining a chat session across a retailer's subdomains or balancing CDN loads? Enter Cookies Having Independent Partitioned State (CHIPS), a new standard that redefines cookie storage to block tracking while empowering developers.

The Problem with Traditional Third-Party Cookies

Historically, when a site embeds third-party content—say, a map or support widget—that content can set a cookie stored under a single key based on its host domain. For example:
- A user visits https://site-a.example with embedded content from https://3rd-party.example, which sets a cookie.
- Later, on https://site-b.example with the same embedded content, the cookie remains accessible, enabling cross-site tracking.
This lack of isolation turns innocuous cookies into privacy risks, as they can correlate user behavior across the web.

How CHIPS Solves the Privacy-Functionality Dilemma

CHIPS introduces a partitioned approach where cookies are double-keyed: by the host domain and the top-level site's origin. Developers opt in by adding the Partitioned attribute to the Set-Cookie header:

Set-Cookie: __Host-example=34d8g; SameSite=None; Secure; Path=/; Partitioned;

Key requirements include:
- Secure: Partitioned cookies must use HTTPS.
- __Host prefix: Recommended to bind cookies strictly to the current domain, preventing subdomain sharing unless needed.

In practice:
- On https://site-a.example, a partitioned cookie from https://3rd-party.example is stored under a key like {("https://site-a.example"), ("3rd-party.example")}.
- When the user moves to https://site-b.example, the embedded content can't access the cookie because the top-level partition key differs.

Crucially, CHIPS still supports cross-subdomain functionality. For instance, a chat widget on https://shoppy.example can persist state across https://support.shoppy.example because the partition key (https://shoppy.example) remains consistent.

Why This Matters for Developers

CHIPS isn't just a privacy win—it's a practical tool for modern web development:
- Block tracking: By isolating cookies to the top-level context, it thwarts unauthorized data collection.
- Preserve utility: Legitimate uses thrive, such as maintaining session state in embedded services or optimizing subresource delivery via CDNs.
- Future-proofing: As browsers like Chrome phase out third-party cookies, CHIPS (similar to Firefox's state partitioning) offers a migration path. Developers can adopt it now to ensure compatibility without rearchitecting applications.

This innovation underscores a broader trend: the web is evolving toward privacy by design, demanding smarter, context-aware solutions from engineers. By embracing CHIPS, developers can build more trustworthy experiences while navigating the sunset of an era defined by invasive tracking.

Source: MDN Web Docs on Partitioned Cookies