Servers Partitioning All Cookies

[volosied]

The documentation states that partitioning is an opt-in in order for third party cookies to work in some contexts (same top level sites). It briefly goes over some reasons such as the principle of least privilege and avoiding unexpected bugs in the browswer.

However, my question is what are the downsides / issues if an application server partitions all applicable (ie. SameSite=None & Secure) cookies? The documentation mentioned browsers partitioning by default, but what if the servers added the "Partitioned" attribute to all eligible cookies avoid applications from breaking.

Appreciate any help. Thanks!

Edit: Would the consequences of a server partitioning all cookies be the same as if the browser partitioned by default -- simply avoiding unexpected bugs?

[johannhof]

There are a few effects of doing this that come to my mind right now, mostly regarding partitioning top-level cookies:

• Your existing unpartitioned cookies will not be overridden by new partitioned cookies with the same name. This could be good or bad, depending on what you're trying to achieve.
• Top-level cookies set with the "partitioned" attribute will be inaccessible using the Storage Access API, as opposed to unpartitioned cookies.
• Similarly, these top-level partitioned cookies will also not be accessible in "A->B->A" scenarios, because of the upcoming introduction of an ancestor chain bit.