Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP BTP and Third-Party Cookies Deprecation

JessyMonrose
Associate
Associate
‎2024 Apr 10 8:52 AM
11,982

Change in Progress (Update 2024-09-05)

Google has revised its strategy (July 22nd, 2024) regarding the third-party cookie deprecation. Instead of enforcing tracking protection by blocking third-party cookies centrally, they will offer this as a choice to their users across all their web browsing.

To allow our users to enable tracking protection, the solutions discussed in the blog remain fully relevant. We have updated the blog accordingly and incorporate any new guidance from Google as it becomes available. 

 

Are You Affected by the Third-Party Cookie Deprecation?

As you may already be aware, browser manufacturers are presenting users with a choice for tracking protection that prevents the usage of third-party cookies. A prominent example is Google Chrome’s plan to let “people make an informed choice that applies across their web browsing”. We are working to ensure that your SAP solutions continue to function with no or minimal potential change in user experience and your application code. The good news is that now is the perfect time to plan for any future changes you should adopt.

We have a webinar explaining the problem and solutions that summarizes the detailed information in this blog series:

Markus_Teichmann_0-1725628662766.png

 

Web applications can embed content, like other applications in iFrames. This architecture provides users with a seamless experience even though they are accessing two different applications, possibly running under different domains. Currently, this architecture relies on third-party cookies to function. The tracking protection proposed by Google for Chrome can potentially break this architecture.

There are three main criteria that a scenario must meet to be affected by these changes, i.e., the third-party cookie deprecation: An application uses (1) embedded content, which is (2) served by a third-party domain and (3) the embedded content needs cookies.

JessyMonrose_0-1723212388149.png

If one of these three criteria is not met, e.g., if your solutions are not intended to run embedded in iFrames or if they all run on the same domain, you are likely not affected by this change. But be aware that embedded scenarios can also occur, when using solutions like SAP Build Work Zone (see below for more details), and be cautious before declaring your application(s) as not affected.

With this blog, we want to make you aware of where we think you should be testing. Other blogs in this blog series will explain how you can test, how to mitigate any problems you find, and finally adopt a solution based on CHIPS or the Storage Access API, for example. 

 

Integrating Content into SAP Build Work Zone 

SAP Build Work Zone (both standard edition and advanced edition) is a central entry point solution for BTP responsible for integrating content. Applications that integrate into such a central entry point are likely to be affected by the deprecation of third-party cookies. Besides SAP Build Work Zone, other entry points might be affected, for example: 

  • SAP SuccessFactors Work Zone 
  • SAP Cloud Portal Service, Neo Environment 
  • SAP Cloud Portal Service, Cloud Foundry Environment 

 

JessyMonrose_0-1712734810165.png

Fig 1. Content Providers for SAP Build Work Zone, standard edition 

 

Figure 1 shows the typical content providers supported by SAP Build Work Zone, standard edition. See Integrating Business Content in the documentation. 

Content integrated with SAP BTP content providers is not affected by this change. We have taken steps to ensure this content continues to function. 

For content from remote content providers or from manual integrations, we recommend testing whether your solution works with tracking-protection enabled. Follow our testing guide: Preparing and Testing Your Solution for Third-Party Cookie Phase-Out. A good indicator that your application is explicitly configured to be integrated or embedded in an iFrame is if it has a content security policy applied. You can read more on the content security policy or other security guidelines like the x-frame option for content providers.

If you encounter any issues, this is a good time to adapt your applications according to our blog How to prepare your application for the blockage of third-party cookies. Details on how to adapt your application can be found in our blog post: How to prepare your application for the blockage of third-party cookies.

 

Integrating Content Outside of SAP BTP

Some more advanced scenarios also require testing. If your application is integrated into another application outside of SAP BTP, or if you are reusing SAP BTP content outside of SAP BTP to consume it on different domains, make sure to check whether the integration involves iFrames or cookies. If yes, then your application will likely not work for users with tracking protection enabled. 

 

Reacting to Google's 1% Trial

Since beginning of 2024, Google is running a trial of the opt-in behavior for tracking protection with 1% of unmanaged Chrome users. Chrome is blocking third-party cookies for these users to study the effect on websites and advertisers.

Follow our guide Preparing and Testing Your Solution for Third-Party Cookie Deprecation to find out how to test if your applications are affected by the trial.

If you encounter any issues, you may need to request an exception from Google for anything running under your custom domains. We, SAP, have made sure to secure exceptions for the most common central entry points hosted on SAP-owned domains: ondemand.comcloud.sap and sapcloud.cn. Your application can continue to be integrated into those entry points without any need for modification. However, we recommend testing the behavior of your application to simulate the effect of the tracking-protection as outlined in our guide: Preparing and Testing Your Solution for Third-Party Cookie Phase-Out.

These exceptions keep your solutions running until a solution that supports CHIPS or Storage Access API is implemented. Details on how to adapt your application can be found in our blog post: How to prepare your application for the blockage of third-party cookies.

If your application is integrated into entry points running on other domains, you need to act now and manually adjust your application to make use of the exceptions. A good indicator that your application is explicitly configured to be embedded in an iFrame is if it has a content security policy applied. You can read more on the content security policy or other security guidelines like the x-frame option for content providers. 

 

Further Information

We have created an SAP Note where we listed our solutions: SAP Note 3409306 - Removal of Third-Party Cookies in Google Chrome and Microsoft Edge Browser. Follow this note to stay up to date. 

This is the first part of our blog series covering the third-party cookie deprecation: 

Keep watching this space for more information regarding Google’s third-party cookie deprecation.

Also, make sure to check out our Frequently Asked Questions.

8 Comments
Labels in this area
Popular Blog Posts