Dynamics 365 is blocking third-party cookies in Chrome

Question

I am integrating a single-page application in Dynamics 365 using Channel Integration Framework. I am using Google Chrome as browser. My application also used cookies to maintain user sessions.

However, Google has announced that from Q1 2024 here: Prepare for phasing out third-party cookies - Chrome for Developers

That they will be phasing out support for third-party cookies. My application behaves as third-party in Dynamics 365 which cannot function without cookies.

I have simulated the phasing out of third-party cookies by browsing to the following URL in Chrome:

chrome://flags/#test-third-party-cookie-phaseout

And set the Test Third Party Cookie Phaseout to Enabled but my application is not displaying.

I have tried their solution which recommends using CHIPS (Cookies Having Independent Partitioned State) by adding the "Partitioned" option in the "Set-Cookies" header but it does not work.

Here is the code I am using in ASP.NET Web API:

    string setCookieHeader = Response.Headers["Set-Cookie"];

    if (!string.IsNullOrEmpty(setCookieHeader))
    {
        setCookieHeader += ";Partitioned";
        Response.Headers["Set-Cookie"] = setCookieHeader;
    }

With third-party phasing out simulated, the above code should have worked.

Is this because Dynamics 365 is loading my application in an <iframe> ?

I do not have control over the creation of <iframe> since it is in Dynamics 365. What is the solution to this problem since the "Partitioned" attribute is not working in Dynamics 365 either?

Answer 1

To me it appears that Microsoft also has to do something to make it work, as with third-party cookies disabled (test-third-party-cookie-phaseout flag enabled) not even CIFInitDone event is emitted.

It would be nice if someone from MS could comment on it. We are going to open a support ticket about it, I'll post any update here.

Answer 2

There is also an unanswered topic on powerusers.microsoft.com:

https://powerusers.microsoft.com/t5/Building-Power-Apps/Chrome-deprecating-3rd-party-cookies/m-p/2403692

The only place I know where Microsoft mentions the handling of issues with 3rd party cookies for Power Platform is here:

https://learn.microsoft.com/en-us/power-pages/known-issues?tabs=Chrome#images-not-displaying-in-power-pages-design-studio

There it's also mentioned that 3rd party cookies can be allowed for specific sites only, this is still possible in Chrome:

https://support.google.com/chrome/answer/95647?hl=en-GB&co=GENIE.Platform%3DDesktop#zippy=%2Callow-third-party-cookies-for-a-specific-site

But I'm not sure if this will be continued after the deprecation of 3rd party cookie feature:

https://bugs.chromium.org/p/chromium/issues/detail?id=1473264

Answer 3

In regard to the "Partitioned" cookie attribute, the cookie also has to have its SameSite attribute set to None and the Secure attribute must also be added; otherwise, the cookie will not be set/passed (depending on context).

Regarding the response from @Laszlo Penzes, I opened a ticket with Microsoft as to whether they're going to support the "Partitioned" cookie attribute in the .NET Framework or .NET (formerly .NET Core); their final answer was they were NOT going to add the "Partitioned" attribute to their API in either the .NET Framework or .NET. The .NET Framework is in maintenance mode and they're not adding it to .NET because the "Partitioned" cookie attribute has not been ratified as an IETF standard (the same can be said for the SameSite cookie attribute though, for which support was added). There are ways to add support for the "Partitioned" cookie attribute for both the .NET Framework and for .NET.

[.NET (formerly .NET Core)] https://stackoverflow.com/a/77846869/2796379

[.NET Framework] The following code example is from Microsoft:

protected void Application_PreSendRequestHeaders ()
{
    var httpContext = HttpContext.Current;
    if (httpContext != null)
    {
        var cookieValueSuffix = "; Partitioned";
 
        var cookies = httpContext.Response.Cookies;
        // This does all cookies, you could name match and append if they exist in the request to be lighter touch
        for (var i = 0; i < cookies.Count; i++)
        {
            var cookie = cookies[i];
            cookie.Value += cookieValueSuffix;
        }
    }
}

Note: "Partitioned" cookies must also have their SameSite attribute set to None and be marked with the Secure attribute.

[ASP.NET] Additionally, you can create an Outbound URL Rewrite rule to accomplish this; it also requires installing the URL Rewrite Module (see below).

The following Outbound URL Rewrite rule can be added to web.config within the system.webServer element. The rule will only add the "Partitioned" cookie attribute if the cookie already contains the "SameSite=None" cookie attribute (one of the requirements):

<rewrite>
    <outboundRules>
        <rule name="Ensure Partitioned Cookies" preCondition="Missing Partitioned cookie">
            <match serverVariable="RESPONSE_Set_Cookie" pattern=".*SameSite=None" negate="false"/>
            <action type="Rewrite" value="{R:0}; Partitioned"/>
        </rule>
        <preConditions>
            <preCondition name="Missing Partitioned cookie">
                <add input="{RESPONSE_Set_Cookie}" pattern="."/>
                <add input="{RESPONSE_Set_Cookie}" pattern="; Partitioned" negate="true"/>
            </preCondition>
        </preConditions>
    </outboundRules>
</rewrite>

URL Rewrite Module download: https://www.iis.net/downloads/microsoft/url-rewrite

URL Rewrite Module 2.0 Configuration Reference: https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/url-rewrite-module-20-configuration-reference#Outbound_Rule_Configuration

Modifying HTTP Response Headers: https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/modifying-http-response-headers