Browser developer intends to renew its privacy efforts over the summer

Server feeding cookies to laptop browser

In an effort to protect essential web services during the Covid-19 outbreak, Google is rolling back changes to the Chromium browser project that were designed to stop users from being tracked by websites.

In a post published on the Chromium blog on Friday (April 3) the web browser and search engine giant said it would temporarily reverse the SameSite changes, whereby cookies can only be read by third-party sites with the developers’ explicit permission, with immediate effect.

Justin Schuh, Google’s director of Chrome engineering, said the rollback was designed to avoid disruption to websites providing critical services such as “banking, online groceries, government services and healthcare” amid the coronavirus pandemic, although he said that “most of the web ecosystem was prepared” for the new rules.

“It was a necessary decision given that Covid-19 has redefined how web services are meeting essential needs for so many people right now,” Schuh added in a Twitter post on Friday.

In the stable release of Chrome 80 in February, Chrome began enforcing secure-by-default handling of third-party cookies – a policy change that would also block cross-site request forgery (CSRF) exploits and many other malicious attacks.

“We’ve been gradually rolling out this change since February and have been closely monitoring and evaluating ecosystem impact, including proactively reaching out to individual websites and services to ensure their cookies are labeled correctly,” Schuh said.

“However, in light of the extraordinary global circumstances due to Covid-19, we are temporarily rolling back the enforcement of SameSite cookie labeling, starting today.”

ANALYSIS Will the coronavirus pandemic impact browser security?

As previously reported by The Daily Swig, Google recently warned that the new cookie classification scheme – which would result in cookies that lacked a designated SameSite value being blocked from issuing cross-site requests – might result in a “very modest amount” of website breakage.

However, the browser maker has sought to reassure users and website owners that the rollback would not cause any disruption.

Google says it intends to resume its enforcement of the SameSite changes at some point over the summer, and that further updates would be flagged on the Chromium blog and the SameSite Updates page.

This isn’t the first time that the coronavirus crisis has prompted the major browser developers to delay security-related updates.

Last month, both Mozilla and Google rolled back plans to abandon support for TLS 1.0 and 1.1 in Firefox and Chrome respectively. Microsoft followed suit for its Edge and IE browsers shortly after.

RELATED We want options: Google answers call for full URL presentation in Chrome