So if i have a product that uses 3rd party cookies to try and enhance the user experience (saving user progress in a 3rd party service for user convenience), whats the alternative to 3rd party cookies?
Bad actors are making it harder for people who want to use cookies for enhancing the experience rather than analytics and marketing.
The third party service can provide you with some JavaScript you inject into your website. It stores cookies on your domain instead of a third party one.
You don't need cross-origin scripts for this: you can host it yourself.
If you were to disallowed loading scripts cross-origin, everyone would just end up creating subdomains for everything you wanted to load, which would be worse security-wise I bet, as you'd lose some of the cross origin security features we have today.
I think the traditional approach is to make them 1st-party, by setting up a subdomain, like '3rdparty.yourdomain.com' and forward requests to it to '3rdparty.com.'
Microservices. You track state yourself, call their service and shuttle the data back and forth, all on your servers. The user touches one endpoint and sees one cert.
its for things that are ephemeral and nice-to-have for the user but not worth it for me to build myself when there are more important things to work on. dang, i had a nice thing going.
Bad actors are making it harder for people who want to use cookies for enhancing the experience rather than analytics and marketing.