Hello everyone

I'm writing this post in regards to the imminent deprecation of "third party" (i.e.: cross-site) cookies in browsers like Chrome and others.

My company has developed several custom visuals that make web requests to our backend services in order to fetch data.

Of course these calls rely on cookies to make sure users are authenticated on our backend services and properly authorized.

Until now, this was possible without issues. What we did in our visuals until now is this:

• We make a GET request to our backend to check if the user has their authentication cookie set
• If authentication fails, we open a new tab using host.launchUrl(https://our_backend_login_page) where the user can authenticate, and in the custom visual we start polling the backend to check when the user has logged in
• When the backend replies with success, it means the cookie has been set and the user is authenticated. We can now load the rest of the visual

Thanks to the "WebAccess" privilege, that allows us to make cross-site requests to specific domains without any problem, this worked perfectly until now. However, the new policy in Chrome and other browsers will soon break this mechanism, as Chrome itself lets you know:

Now, in their guide here, Google suggests various alternatives to third-party cookies, but from my preliminary research and tests the two main ones do not seem promising:

• The CHIPS method (aka: partitioned cookies) seems to not be applicable here, because it requires the partitioned cookie to be set from within the embedding site... but I cannot embed my site directly in the visuals, because the visuals themselves are sandboxed iframes (that is why I do the open new tab + polling method instead, like I described before)
• The Storage Access API method seems, on paper, to be exactly what we need: we can just explicitly request access to the user and if they accept third-party cookies will start working again. However, when I tried to implement the suggested flow, it doesn't work. Specifically, I get the following error when trying to invoke the document.requestStorageAccess() method:
  

  I cannot find much info on this error but, like the problem with the CHIPS method, it seems to be related to the fact the the Custom Visuals iframes are sandboxed and configured so that a call to window.origin returns null.

Now, can anyone tell me if I did something wrong, or am I correct in what I just wrote? Am I missing something? Are the ways to implement one of those two approaches in a PoweBI custom visual?

If the answer is no, does anyone know of any alternative solutions? The only thing I can think of is using the recently introduced option to access the local storage from a Custom Visual to store an authentication token (for example: JWT). However, this is not as straightforward as it sounds, because we must first ACQUIRE the authentication token somehow. I've thought of some hacky workarounds, but nothing that sounds like a proper solution. Does anyone have any better ideas?

Thanks in advance for your support.