How Third-Party Cookie Restrictions Impact Salesforce Canvas Apps

Prepare Salesforce Canvas apps for the new web browser restrictions on third-party cookies. Several major browsers have already disabled third-party cookies by default, including Mozilla Firefox, Apple Safari, and Brave. In January 2024, Google started a gradual rollout of its Privacy Sandbox initiative, which phased out support for third-party cookies in its Chrome browser and enforces storage partitioning in third-party contexts. However, in July 2024, Google reversed its plans to completely block third-party cookies. Instead, Chrome users can decide whether to block third-party cookies. Despite Google’s recent reversal, Salesforce moves ahead with its plans to end reliance on third-party cookies, such as moving Setup pages to the new *.salesforce-setup.com domain. Other popular browsers already block third-party cookies by default, and Salesforce expects that many users will choose to block third-party cookies due to privacy concerns.

Third-party cookies are the main mechanism that enables cross-site tracking. When Canvas apps are exposed in Salesforce via an iframe, the content may not load properly because the content is served from a different domain. To avoid problems late in development, test Canvas apps in a Salesforce container early. To design applications that don’t rely on cookies, session storage, or local storage to track users, build your Canvas apps as single-page applications (SPAs).