Hey WebAppSec folks,

As you may already be aware, Chrome is shipping third-party cookie blocking by default in 2025.

One second order effect of this is any top-level document served with Content-Security-Policy: sandbox (e.g. untrusted user HTML content), which treats all subresource requests as cross-site, will have cookies blocked by default.

One unsatisfactory workaround for this is to include the allow-same-origin directive in the CSP sandbox header. This, however, exposes the hosting origin's entire first-party cookie jar (including SameSite=Lax/Strict cookies) to the sandboxed page, which is not feasible for some use cases from a security perspective.

In Chromium, I have landed a patch which allows users to opt-in to allowing top-level sandboxed pages to serve SameSite=None cookies only via a browser UI. However, I would like to gather feedback for an idea I had to provide an API-level solution for this as well.

One possible shape this API could take is a new directive for the CSP sandbox header:

Content-Security-Policy: sandbox allow-storage-access

This would allow top-level sandboxed pages to have access to their SameSite=None cookies by default when the page loads when third-party cookie blocking controls are enabled, without requiring the browser treat this as a first-party request with respect to SameSite.

This directive would have no effect on sandboxed frames that are not top-level in the page's frame tree, so there would be no privacy impact on users by introducing this.

I would like to hear feedback from the community on whether an API-level solution for this use case makes sense, and, if so, if the shape I am currently thinking of makes sense.