Chrome Third Party Cookie Deprecation

Introduction

Google is changing Chrome browser behaviors related to "Third Party Cookie" availability, which may impact the authentication cookies used in Menlo Security isolation sessions.   See this Google Blog for details: https://blog.google/products/chrome/privacy-sandbox-tracking-protection/

To avoid service interruptions, you must add third party cookie exceptions for your isolation appliance’s service domains to your Chrome settings.   

Which environments are impacted?

Menlo Security worked with Google to exempt these changes for domains used for the Menlo cloud deployments.  These domains include menlosecurity.com and menlogov.com.  While this means that cookie policy will not change for Menlo cloud users, we recommend configuring these domain exceptions to protect against any future changes.

On-premise (OVA) deployments which use proxy mode isolation will be impacted by this change and the cookie exception must be added to Chrome configurations to prevent service interruptions.  

What is changing? 

Google will be enabling third-party cookie blocking on 1% of Chrome browsers in January 2024 and progressively expanding this change to become the standard configuration Chrome browsers based on Google's rollout plan.  The timing for full transition is subject to change at Google's discretion.  It is recommended that organizations implement the third party cookie configuration changes immediately to ensure reliable service.

Where are third-party cookies used?  

Menlo isolation sessions use third-party cookies when isolating Internet sites.  When a site, wikipedia.org for example, is being isolated the rendering communications are sent to the isolation appliance hostnames.  These isolation requests use cookies, and since their domains differ from the address bar domain (wikipedia.org) they are considered third-party cookies.

What is the impact of the change? 

Without adding a configuration to allow cookies on the appliance domains, the cookies will be stripped and an attempt to isolate a www site will cause an authentication loop resulting in an error page being displayed.

Will third-party cookies also be changing for Microsoft Edge?

There are also indications that Microsoft will be making similar changes to Edge browser, but the plans and timelines are less clear at this point.   Menlo Security recommends adding third-party exceptions for Edge browser while making the changes to Chrome.

How do I address this change for my users?

Chrome has settings which can be configured to selectively permit third party cookies for domains which require them.  These settings can be configured in Chrome or can be applied via a device management tool like Active Directory or Microsoft Intune.

Microsoft Intune:

Apply a Windows Configuration Profile for:

Google Chrome Content Settings -> Allow Cookies for these Sites
add an entry for your domain, 

[*.]menlosecurity.com

Now, do the same for Microsoft Edge:

Microsoft Edge\Content Settings -> Allow Cookies on Specific Sites

add an entry for your domain

[*.]menlosecurity.com

Note:  for on-premise deployments, replace 'menlosecurity.com' in the above examples with the domain used by your appliances.

Microsoft Active Directory:

Use an Active Directory Group Policy Object (GPO) to set a registry entry of the following type for your corporate domain on both Chrome and Edge browsers:

Software\Policies\Google\Chrome\CookiesAllowedForUrls\1 = [*.]menlosecurity.com
Software\Policies\Microsoft\Edge\CookiesAllowedForUrls\1 = [*.]menlosecurity.com

Further Reading

• Chrome Policy Reference: https://chromeenterprise.google/policies/#CookiesAllowedForUrls
• Edge Policy Reference: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#cookiesallowedforurls

What domain do I need to configure the exception for?

The third-party cookie exception must be created for the domain that is used for the isolation protocol communications.

• For users of the Menlo Security primary cloud platform, the domain exception to configure is: "[*.]menlosecurity.com"
• For users of the Menlo Security FedRAMP cloud platform, please use "[*.]menlogov.com"
• For users of on-premise Menlo Security virtual appliances, the corporate domain name used by the isolation appliances must be configured.   This is most commonly your company domain.  To verify the domain in use, log into the admin UI of an isolation node and view the  value in "Settings -> Service -> Service Settings -> Login name" 

How can I address this manually with Chrome settings?

Changing this setting manually within browser settings may be useful to test the settings change prior to making the central change with MDM, or to control the setting on an unmanaged device.   To do this,

1. Open Chrome Settings by clicking the three vertical dot icon in the upper-right of the Chrome UI
2. Select Settings in the menu.
3. On the left sidebar, click Privacy and Security then click the Site settings button. 
4. Scroll down to Additional content settings then select On-device site data
5. Within the Allowed to save data on your device section, add an entry for the isolation platform domain, [*.]menlosecurity.com