The blocking of third-party cookies is arguably the largest change to the web platform in recent years, influencing not only on how developers build web applications, but also fundamentally reshaping the web's security model. In this talk, we’ll discuss the background behind these changes and outline how a principled approach to blocking third-party cookies can improve the security of the web ecosystem. We will start by honing in on one of the “original sins” of the web platform and explain how the presence of third-party cookies and unpartitioned HTTP cache has enabled many of the classic web vulnerabilities, including CSRF, clickjacking, and many types of XS-Leaks. We'll then move to the world of privacy and discuss concerns about cross-site tracking, including alternative tracking techniques that web browsers need to prevent in conjunction with blocking third-party cookies. The main part of our talk will focus on work to extend the scope of these privacy-motivated changes to improve the fundamental security properties of the web platform and make it secure-by-default against long-standing problems. This includes preventing many web application vulnerability classes and eliminating other sources of insecurity such as browsing history leaks and cache-based XS-Leaks. We'll describe work we've done with Chrome's Privacy Sandbox team and other browser vendors to make sure these changes offer a robust security boundary. Finally, we’ll dig into the details of what it means to really deprecate third-party cookies, why it is hard, and the many edge cases browser vendors have to grapple with. We’ll talk about known gaps in third-party cookie blocking which will require long-term efforts to improve without breaking existing web functionality. We'll end by sharing a comprehensive set of best practices for building secure web apps in a post-third-party-cookie world.