The web is moving to deprecate third-party cookies, and not every site developer will have the time and bandwidth to implement workarounds that mitigate user-facing breakage. In particular, flows involving authentication tokens from identity providers are a common web pattern that relies on third-party cookies.

There are established practices where a browser grants temporary storage access when a user satisfies a predefined flow. We have assessed a few existing heuristics for security and privacy concerns, and have decided to prototype the following two scenarios:

1. When a third party is loaded in a popup, after possible redirects, and the third party receives user interaction, the third party receives storage access on the opener site for 30 days.
2. When a first party redirects to a third party, the third party receives a user interaction, and navigates back to the first party, the third party receives storage access on the opener site for 15 minutes.

We presented this proposal at TPAC to generally positive feedback:
Explainer: https://github.com/amaliev/3pcd-exemption-heuristics/blob/main/explainer.md
Slides: https://docs.google.com/presentation/d/e/2PACX-1vQAjOEnKv3fyXchlYwO2JbPGrvaT7w3Q24ikac_1YWO8IhFJhPvaWBpXZPTMx0wYud1jgiM_TkVQIvw/pub

We appreciate any additional feedback, comments, or concerns from the broader community. Thank you!