As browser vendors push for more privacy-aware user choices, Google Chrome could soon start encouraging users to block third-party cookies, with potentially significant effects for side-by-side extensions on SAP Business Technology Platform (BTP).
A recent ASUG webcast, led by SAP experts Dr. Christof Momm and Dr. Markus Teichmann, both on the Integration & Cross Architecture team in the Office of the Chief Technology Officer (CTO) at SAP, shed light on the potential risks to SAP BTP-based extensions due to third-party cookies being phased out in Google Chrome and other browsers. With the impending nature of this change to the status quo, Momm and Teichmann made it clear why and how organizations should take proactive action.
Third-party cookies have long played a pivotal role in web functionality, beyond merely tracking and advertising functions. Momm explained that blocking third-party cookies could lead to “really strange effects,” such as “endless nested loops of login windows and the application not loading at all.” Although SAP is currently addressing this issue’s potential impact on its components and integrations, customer-owned extensions will also require fixes to mitigate potential problems.
Three criteria must be true within an integration scenario for it to fail due to third-party cookie blocking, according to Momm, including:
- The use of embedded content,
- Which is served by a third-party domain,
- And which needs cookies.
Since automated scanning for affected integrations is not feasible, “a fair deal of analysis and testing” is needed, he said. Despite recent announcements suggesting that Google has revised its third-party cookie phase-out strategy, offering this as an option to users rather than blocking third-party cookies centrally, Momm said organizations should still take action to prepare for depreciation.
“Our expectation is that Google will advertise this feature aggressively so that the ramp-up still takes place—not, in this case, initiated by Google, but by the users,” he explained. Since early 2024, Google has been running a trial of the opt-in behavior for tracking protection with 1% of unmanaged Chrome users, blocking third-party cookies for these users to study what effect this has on websites and advertisers.
With the trial ongoing, a Google Chrome tracking protection feature is expected to be introduced in the near future. The impact of such a change is already evident from the tracking protection feature offered by Safari, which is “sufficient to break integrations that rely on cookies.” Given this context, Momm urged organizations to remove their dependency on third-party cookies to avoid possible issues.
Testing, Mitigation, and Permanent Solutions
After Momm set the stage for third-party cookie depreciation, Teichmann laid out a step-by-step guide for addressing the phase-out, including testing for impacted scenarios, applying temporary mitigations, and implementing permanent solutions to support application reliability in a privacy-focused future. While testing for scenarios, he stressed the importance of considering two perspectives: “your application integrated into another application” and “reliance on content that might be served from a third party.”
To illustrate the disruptions caused by third-party cookie blocking, Teichmann demonstrated a real-world scenario involving a BTP-based application integrated into SAP Build Work Zone. The application, served from a different domain, failed to load properly when third-party cookies were blocked, exemplifying why proactive testing and mitigation are crucial.
For permanent solutions, he highlighted the use of CHIPS (Cookies Having Independent Partitioned State) and the Storage Access API. CHIPS provides “separate cookie jars for each context of the application,” meaning that a cookie cannot be used across sites outside the site they were set. This solution requires the reconfiguration of an application’s router, but it’s applicable in most BTP-based extension use cases. Meanwhile, the “gatekeeper” API serves as a “key that will allow the usage of third-party cookies in special circumstances” but might require user consent, according to Teichmann.
Common Super Domain Update and Timeline Implications
The speakers addressed the connection between the cookie phase-out and SAP’s “common super domain feature” update, which is intended to mitigate the effects caused by major browser vendors' discontinuing support for third-party cookies on their browsers.
While the common super domain helps to avoid this issue for SAP software-as-a-service (SaaS) solutions, customer-owned extensions are not permitted to run in this environment for security reasons. As a result, privacy-preserving alternatives like CHIPS and Storage Access API remain necessary for these scenarios.
Momm also discussed Google’s updated timeline for the phase-out. A tracking protection feature is slated for release in 2025—despite the recent shift from a push to a pull approach. To stay abreast of any changes to this timeline, organizations should monitor the official Google timeline and SAP’s documentation for the most up-to-date information on the phase-out plan and its implications.
While the exact timing may change, Teichmann emphasized that the responsibility for addressing the cookie phase-out falls on the owners of the integrated content, whether internal or third-party. “If you own an application that is being integrated somewhere else, then you need to get active,” he said, adding that partners and third-party vendors must also act to remedy potential issues.
Lingering questions, such as the availability of alternative browsers and the role of content owners in tackling the issue, underscore the need to prepare for a change that is all but certain. “All the browser vendors agree that the current usage of cookies and their abuse by the advertising and tracking industry is something they want to get rid of,” said Teichmann. Organizations must react accordingly and adapt to a future without the use—and misuse—of third-party cookies and implement all necessary solutions.
The speakers offered both an urgent call to action and a clear path forward, urging users at organizations to ensure the smooth functioning of their BTP-based extensions and find their footing in a future that prioritizes privacy and data security.
Watch the full webcast on demand here. Register for ASUG Tech Connect (Nov. 12-14) and learn more about topics vital to enterprise architects.