Webmasters should make the switch soon, developers warn

Websites that use mix of HTTP, HTTPS schemes may break under new Chrome SameSite rules

Google has announced more changes to the way Chrome handles same-site cookie requests, the browser developers have announced.

The world’s most popular web browser started blocking cross-site requests by default after new same-site cookie request rules were enforced earlier this year.

Cookies, which are used to deliver advertising, tracking, content personalization, and more, are associated with domains. If they match the website in the address bar, they are deemed ‘same-site’, or first-party cookies.

If they related to external domains, they are considered to be in a ‘cross-site’ or third-party context. This includes cases when a cookie is shared between multiple websites owned by the same entity.

Webmasters have the option to apply SameSite=Lax or SameSite=Strict to restrict cookies to same-site requests.

Failure to implement either option can leave websites open to cross-site request forgery (CSRF) and numerous other web-based attacks.

As a result, Google made the move to enforce SameSite=Strict by default, thus blocking all cross-site cookie requests.

More cross-site changes

Developers behind Google Chrome have now expanded the same-site rules to include URLs.

Unfortunately for some, this means that any website that still use a mix of HTTP and HTTPS schemes will be classes as ‘cross-site’ and blocked – even if they’re on the same domain.

The changes were made to stop attackers from bypassing the same-site restrictions with a manipulator-in-the-middle (MitM) attack.

A blog post explains more details behind the move and advises webmasters on what changes they may need to make.


Read more of the latest browser security news


“One of the main reasons for the change to SameSite=Lax as the default for cookies was to protect against cross-site request forgery,” the post explains

“However, insecure HTTP traffic still presents an opportunity for network attackers to tamper with cookies that will then be used on the secure HTTPS version of the site.

“Creating this additional cross-site boundary between schemes provides further defense against these attacks.”

Webmasters are warned that they must upgrade to full HTTPS or risk their website breaking.


READ MORE Chrome SameSite cookie change expected to result in ‘modest’ global website breakage