Does your Salesforce implementation use third-party cookies, iframe
elements, or AppExchange solutions? Google Chrome is phasing out third-party cookies and making changes to storage APIs, which may affect your org. To ensure that you’re prepared, follow the testing methods recommended by Google and those outlined in this post, and take some time to review Salesforce updates that address Google’s changes.
What is the Privacy Sandbox?
Google is improving privacy for its users through its Privacy Sandbox initiative. Two key areas of focus are the blocking of third-party cookies and the enforcement of storage partitioning. These updates reduce cross-site tracking and ensure that stored data is only accessible by the site that inserted the content.
For example, say that you visit xyz.com. Previously, if you clicked the “Accept Cookies” pop-up, a third-party advertiser could request and store data about your activity. Then, when you visited a different website with the same advertiser service, the third-party cookie could be used to serve you relevant ads based on your activity on xyz.com. With the new privacy updates, Google Chrome recognizes when a request isn’t coming from xyz.com, but instead from the third-party advertiser. Chrome then blocks the advertiser from accessing your activity data via a third-party cookie.
A similar concept applies to storage and communication APIs used in third-party contexts. For example, say that you visit xyz.com, which stores data with the Web Storage API. Previously, because storage was unpartitioned, a site that embedded a page from xyz.com would have access to this data. With the new enforcement of storage partitioning, the secondary site can’t access the data from xyz.com.
To gain a fuller understanding of the changes coming to Google Chrome, we highly encourage you to look through Google’s Privacy Sandbox documentation.
The Privacy Sandbox timeline
Partitioned local and session storage rolled out in Chrome in Fall 2023. Third-party cookies, as of writing this blog post, have been disabled for 1% of users and should be disabled for all users by early 2025. To get up-to-date information, consult the Privacy Sandbox Timeline.
Test Salesforce in Google Chrome
Almost every Salesforce org has been customized to some extent—many with their own custom components or applications. So it’s important for you to test all of your key scenarios within Chrome in the same way that it will function upon the rollout of Privacy Sandbox.
Third-party cookies
To test your org without support for third-party cookies, enable the Require first-party use of Salesforce cookies setting in the My Domain setup page.
For more comprehensive testing of integrations with non-Salesforce systems, additionally adjust the flags in Chrome by going to the listed URL for each one in the table below and adjusting them to their corresponding values. For more on this, see Test for Breakage, which includes Google’s recommendations for testing sites without third-party cookies.
Flag Name | Flag ID & URL | Proposed Value |
Tracking Protection for 3PCD | chrome://flags#tracking-protection-3pcd |
enabled |
Test Third Party Cookie Phaseout | chrome://flags#test-third-party-cookie-phaseout |
enabled |
Third-party Cookie Deprecation Trial Grants for Testing | chrome://flags#third-party-cookie-deprecation-tria l |
disabled |
Top-Level Third-Party Cookie Deprecation Trial Grants for Testing | chrome://flags#top-level-third-party-cookie-deprecation-trial |
disabled |
Third-Party Cookie Deprecation Metadata Grants for Testing | chrome://flags#tpcd-metadata-grants |
disabled |
Third-party Cookie Phase Out Facilitated Testing | chrome://flags#tpc-phase-out-facilitated-testing |
default |
Third-party Cookie Grants Heuristics Testing | chrome://flags#tpcd-heuristics-grants |
disabled |
Local and session storage
In Chrome 115, Google enforced storage partitioning in third-party contexts. Salesforce currently participates in Google’s deprecation trial, which temporarily extends the use of unpartitioned storage on Salesforce domains. In Summer ’24, Salesforce enables storage partitioning. For flexibility, you can use the new setting to opt out of Salesforce’s rollout for now and keep unpartitioned storage until Google’s deprecation trial permanently ends on September 3, 2024. After this date, Google Chrome storage partitioning is enabled regardless of the setting.
To activate this setting, from Setup, in the Quick Find box, enter User Interface, and then select User Interface. Select Disable Google Chrome Storage Partitioning for Salesforce Domains, and then save your changes. Clear all browser cookies and browser history, and then close the browser. Log into Salesforce and ensure that all functionality works properly.
Recommended solutions
If you identify a problem during testing, it’s important to first determine if you believe the issue to be with Salesforce, an AppExchange solution, or your own custom components.
If you believe the issue is due to Salesforce, contact Salesforce support. If it is with an AppExchange package, reach out to their recommended support channel. If it is with your own solution, then we have outlined some recommended solutions below.
The most common scenario in which you’ll encounter issues is when an iframe
in your Salesforce org hosts content from a cross-origin (or maybe third-party) domain (different than that in the address-bar URL) that tries to use cookies or local/session storage APIs.
Fetch data via REST APIs
If the solution that is not working is using storage for data, authentication, or state, this can normally be retrieved via our REST APIs via OAuth in a connected app. This is the route we took for Lightning Out as we needed the iframe
to still exist, but we couldn’t rely on the session ID cookie to be accessible since it would be stored on another origin.
Remove the need for iframes
Another approach is to migrate anything that is being hosted on another origin and put it on the same origin. If you’re using an iframe
within Salesforce, consider migrating the solution into Salesforce when fetching the data and other resources. This way, you can still use storage paradigms on Salesforce because this access occurs on the same origin. When possible, we recommend migrating your content to Lightning Web Components. See this getting started guide to learn more.
Salesforce’s preparation for Privacy Sandbox changes
Salesforce has enrolled in the deprecation trials for Privacy Sandbox so that we have greater control of the rollout. That way, if issues are found, we can address them quickly and keep you unblocked as much as possible. We will begin to remove these deprecation tokens starting with the Summer ’24 release at a gradual but consistent pace. If you find an issue while you are testing your solutions, please reach out to Salesforce support.
New Setup domain
Anyone who has worked with Salesforce knows that Setup has been around for a long time. That said, many Setup pages include iframe
content from other origins, and this breaks when third-party cookies are blocked by the browser. Since some of these pages are legacy, we found that the best solution to limit the potential impact was to move all Setup pages into a single My Domain-based salesforce-setup.com domain.
If your company controls users’ or servers’ access to the internet through firewalls or allowlists, your IT department must add *.
salesforce-setup.com
to the company’s list of allowed domains.
Lightning Out and token-based authentication
Lightning Out is widely used, and so we introduced token-based authentication to handle authenticated scenarios across origins. If your solution requires any type of authenticated information from Salesforce, then enable Token-Based Authentication in Session Settings and test your solution with cookies disabled.
When will Salesforce’s changes impact me?
Storage Partitioning: Salesforce removes its deprecation tokens with the Summer ’24 release. At this point, storage partitioning is automatically enabled on Salesforce domains unless you use the setting described above for keeping unpartitioned storage until Google’s deprecation trial permanently ends on September 3, 2024.
New Setup Domain (*.salesforce-setup.com): A limited number of sandbox orgs already have the new setup domain enabled. The enablement resumes with a gradual rollout on June 15, 2024, after all customers are on the Summer ’24 release. Salesforce plans to complete the rollout prior to the Winter ’25 release.
Blocking of Third-Party Cookies: Salesforce plans to automatically enable the Require first-party use of Salesforce cookies My Domain setting with a release update in the Winter ’25 release, starting in August 2024 and concluding in October 2024. Salesforce plans to allow orgs to disable that setting in the event that functionality is impacted, but that setting is presently on track to effectively be forced on by Chrome after December 27, 2024.
Conclusion
Google’s Privacy Sandbox initiative is a major step forward for modern web browser privacy. With the restrictions on third-party cookies and the enforcement of storage partitioning already underway, it’s important that you’re ready for these changes. Be sure to test your orgs, explore the recommended solutions, and check out the provided resources for more information.
Resources
Summer ’24 Release Notes
- Add the New Setup Domain
- Prepare for Restrictions on Salesforce Cookie Use
- Temporarily Opt Out of Google Chrome Storage Partitioning
- Require first-party use of Salesforce cookies
Knowledge Articles
Chrome Resources
About the authors
Greg Whitworth is the Sr. Director of Product on the Salesforce Platform. You can follow him on Twitter and LinkedIn.
Chase Patterson is a Senior Member of Technical Staff on the UI Services Customer Success Team.
Elaine Rose is a Lead Technical Writer on the Domain Configuration team.
Jenna Bucien is a Technical Writer on the Salesforce Platform.
Carolyn James is an Engineering Program Manager within Platform.