id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
2547	Support Partitioned Cookies for load balancing according to CHIPS	schnieders@…		"All browsers will (or already have) restrict their 3rd-Party-Cookie handling to prevent user tracking. You are affected using nginx load balancer functionality in the following use case:

* Your application is integrated in a 3rd-Party context
* You are tied to a local state on a certain deployment unit
* You use a sticky session cookie for load balancing

In such cases, the 3rd-Party session cookie will be blocked by the browser and your application will probably not work correctly. Safari blocks them already, Chrome and Firefox will do so, starting in mid 2024. To support such a use case as mentioned, CHIPS was introduced (https://github.com/privacycg/CHIPS). CHIPS will be supported by

* Chrome
* Firefox
* Safari/Webkit seems to be undecided yet
* Microsoft Edge might follow Chrome, since it's quite the same basis

Technically, CHIPS defines the cookie attribute ""Partitioned"", that will be handled by the browser in a certain jar for the 3rd-Party context within the 1st-Party context. So a tracking for multiple sites is not possible.

nginx should support Partitioned Cookies. The existing configuration could be extended as follows


{{{
upstream backend {
    server backend1.example.com route=a;
    server backend2.example.com route=b;

    sticky cookie srv_id expires=1h domain=.example.com samesite=none secure path=/ partitioned;
}
}}}


that results in an HTTP-Response Header value like this:


{{{
Set-Cookie: __Host-SID=31d4d96e407aad42; SameSite=None; Secure; Path=/; Partitioned;
}}}

(example is copied from the CHIPS proposal site)"	enhancement	new	minor		other	1.25.x		cookie, loadbalancing, chips			1.25