Browsers block third-party cookies by default AI-researched
Dependency: Third-party cookies for cross-site state
Safari fully blocked third-party cookies by March 2020 (ITP since 2017), Firefox added Total Cookie Protection, and Chrome began phased deprecation. Multi-domain artworks that shared state via cookies lost cross-site functionality.
Fixes & Mitigations
- Migration: Artworks can migrate to server-side session management, first-party cookies with SameSite attributes, or the Storage Access API.
- No fix available: The implicit cross-site state sharing that cookies provided has no drop-in replacement.
Safari Intelligent Tracking Prevention (ITP) launched in September 2017 and progressively tightened restrictions until fully blocking third-party cookies by March 2020. Firefox added Enhanced Tracking Protection (September 2019) and Total Cookie Protection. Chrome announced deprecation in 2020, though implementation has been delayed.
What changed
Third-party cookies allowed web pages to share state across different domains — an embedded iframe could read cookies set by its origin site, enabling cross-site authentication, personalization, and state management. When browsers began blocking these cookies by default, multi-domain artworks lost the ability to share state across sites.
Interactive works relying on third-party authentication cookies embedded in iframes, artworks that used cross-site tracking as a creative medium, and multi-domain compositions that shared user state all broke.
Notes
This is part of a broader trend of browsers enforcing privacy through origin isolation. While driven by legitimate anti-tracking goals, each isolation boundary added by browsers narrows the ways web pages can interact with each other — reducing the creative surface area available to web artists.