Chrome Third Party Cookie Deprecation

Todd Ignasiak
Todd Ignasiak
  • Updated

Google is changing Chrome browser behaviors related to "Third Party Cookie" availability, which may impact the authentication cookies used in Menlo Security isolation sessions.   See this Google Blog for details: https://blog.google/products/chrome/privacy-sandbox-tracking-protection/

To avoid service interruptions, you must add third party cookie exceptions for your isolation appliance’s service domains to your Chrome settings.   

Which environments are impacted?

Menlo Security worked with Google to exempt these changes for domains used for the Menlo cloud deployments.  These domains include menlosecurity.com and menlogov.com.  While this means that cookie policy will not change for Menlo cloud users, we do recommend configuring these domain exceptions to protect against any future changes.

On-Premise (OVA) deployments which use proxy mode isolation will be impacted by this change and the cookie exception must be added to Chrome configurations to prevent service interruptions.  

What is changing? 

Google will be enabling third party cookie blocking on a 1% of Chrome browsers in January 2024 and progressively expanding it to all Chrome browsers in the second half of 2024.

Where are third party cookies used?  

Menlo isolation sessions use third party cookies when isolating Internet sites.  When a site, wikipedia.org for example, is being isolated the rendering communications are sent to the isolation appliance hostnames.  These isolation requests use cookies, and since their domains differ from the address bar domain (wikipedia.org) they are considered third party cookies.

What is the impact of the change? 

Without adding a configuration to allow cookies on the appliance domains, the cookies will be stripped and an attempt to isolate a www site will cause an authentication loop resulting in an error page being displayed.

 

How do I address this change for my users?

Chrome has settings which can be configured to selectively permit third party cookies for domains which require them.  These settings can be configured in Chrome or can be applied via a device management tool like Active Directory or Microsoft Intune.

 

Microsoft Intune:

Apply a Windows Configuration Profile for:

Google Chrome Content Settings -> Allow Cookies for these Sites
add an entry for your domain, 

[*.]menlosecurity.com

Microsoft Active Directory:

Use an Active Directory Group Policy Object (GPO) to set a registry entry of the following type for your corporate domain:

Software\Policies\Google\Chrome\CookiesAllowedForUrls\1 = [*.]menlosecurity.com

 

Chrome Policy Reference: https://chromeenterprise.google/policies/#CookiesAllowedForUrls

 

How can I address this manually with Chrome settings?

To open Chrome Settings, click the three vertical dot icon in the upper-right of the Chrome UI, then select "Settings" in the menu.

On the left sidebar, click "Privacy and Security" then click the "Site settings" button. 

Select "Additional content settings" then select "On-device site data"

Within the "Allowed to save data on your device" section, add an entry for the isolation platform domain, "[*.]menlosecurity.com".

 

What domain do I need to configure the exception for?

The third party cookie exception must be created for the domain that is used for the isolation protocol communications.

For users of the Menlo Security primary cloud platform, the domain exception to configure is: "[*.]menlosecurity.com"

For users of the Menlo Security FedRAMP cloud platform, please use "[*.]menlogov.com"

For users of on-premise Menlo Security virtual appliances, the corporate domain name used by the isolation appliances must be configured.   This is most commonly your company domain.  To verify the domain in use, log into the admin UI of an isolation node and view the  value in "Settings -> Service -> Service Settings -> Login name" 

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.