Cookie Setting in via Set Cookie Response Header in Fenced Frames

Image 1 Image 2 Image 3 Image 4
Here we see a cookie addict trying to see over fences meant to shield vulnerable cookies - iSac, Gemini, December 19, 2024.

CHIPs and Fenced Frames

Here we try to set a CHIP via a creative rendered in a fenced frame. Although the server side code is ofc free to include the CHIP response header, the browser is not setting it.

Note in particular the difference between the "creative" below, which returns all the headers the server sees and it does not see the cookie, vs the iframes version, where the cookie is set and is passed back and forth.

Note that other forms of local storage do temporarily work, see the Network Partitioning Explainer
  • You can see the handler that makes the creative here.
  • You can see the client side JS here.
  • Note also if you open dev tools, go to the network tab, and then refresh the page, you'll see the requests and headers included. The initial page load will occur with whatever the last Referer Policy was, you'll see the header come back and take effect on the next request; at that point you can find the "creative?id=..." request and see whether the referer was sent, which should be reflected in the results below.

Live Result

Sorry for the bad UI here, scroll down in the Fenced Frame a bit and you won't see cookies.