Webmasters need to resolve non-compliant cookies by February 17
Upcoming changes to how the Chrome browser handles cookies will result in a “modest” amount of website breakage, Google warns.
A new cookie classification scheme will debut in the newest version of Chrome this month, after which any cookie that does not have a designated SameSite value will be blocked from cross-site requests.
Although the move is expected to help improve both user privacy (by frustrating the efforts of some third-party analytics and tracking companies) and security (by blocking certain attacks), it has also led to fears that some websites may break as a result of the SameSite change.
Same same, but different
Cookies are implemented in websites for advertising, tracking, content personalization, and analytics purposes. Cookies are associated with domains, and if they match the website in the address bar, they are deemed ‘same-site’, or first party.
If these websites are external, they are considered to be in a ‘cross-site’ or third-party context. This includes cases when a cookie is shared between multiple websites owned by the same entity.
Webmasters have the option to apply SameSite=Lax or SameSite=Strict to restrict cookies to same-site requests. Google says, however, that few choose to do so, and this is leaving websites open to cross-site request forgery (CSRF) and numerous other attacks.
With the introduction of Chrome 80 this month, however, the browser will treat any cookie without a designated SameSite value as SameSite=Lax, banning them from cross-site requests.
Standard websites, as well as domains implementing accelerated mobile pages (AMP), may be affected by the changes in default behavior, especially as in the latter case, AMP caches are loaded under faux first-party cookies.
Webmasters, therefore, need to make sure they specify how they want cookies to be handled before the upcoming deadline on February 17 in order to prevent any website disruption.
Google first announced the changes to the way Chrome will be handling cookies in October 2019.
In addition to banning external access to cookies without a designated SameSite value, webmasters wishing to avoid the new restrictions by specifying SameSite=None will also need to implement the Secure attribute.
This will mark a push towards what the tech giant is calling a “secure-by-default” model, as it means that cross-site cookies can only be accessed over HTTPS.
The upcoming changes may inconvenience some webmasters, but they are considered by Google and some experts in the field as a win for privacy.
Read more of the latest browser security news from The Daily Swig
In an update posted by Google’s Lily Chen, the software engineer said the use of the Secure attribute is on the rise and as of January 21, over 67% of SameSite=None cookies have been implemented with the Secure attribute.
Chrome uses a ‘Site Engagement Score’ from 0 to 100 for every domain in which a user is able to interact with.
After examining the scores of non-compliant cookies on websites, Chen says that 79% of domains which would have cookies blocked had no user engagement score and only 4% had ‘medium’ levels of interaction (15.0 to 50.0), with fewer than 3% accounting for ‘high’ levels of interaction (50.0+). As such, it is unlikely that user-visible breakage will run rampant with the introduction of Chrome 80, the argument goes.
Chen says the tests “indicate a very modest amount of breakage”.
Google actively tested websites in the Alexa Top 50, finding no cookie compliance issues. In the Top 100, many webmasters said they were aware of the change and are pushing for compliance before the deadline. Testing for the Alexa Top 1,000 is still underway, but out of 400 websites tested so far, breakage occurred in fewer than 15.
“The vast majority of the remaining noncompliant cookies are on sites with little to no user engagement, so there may not be much user-visible breakage,” Chen said. “We believe the SameSite cookie changes are safe to roll out in February 2020.”
The stable release of Chrome 80 is scheduled for February 4, with SameSite behavior to be gradually rolled out from February 17.
Mozilla and Microsoft also intend to make the SameSite switch on their own browsers, Firefox and Edge.
RELATED Safari anti-tracking design flaws spawn privacy risk