Google will begin rolling out version 80 of its popular Chrome browser on February 4th, which includes new cookie rules to buff up security. Plus, the change could prevent cross-site tracking features.
The Mountain View, California-based company revealed back in 2019 that it was working on the feature. At the time, Google said it would help prevent security issues caused by cookie vulnerabilities. For example, bad actors could exploit browser cookies — tiny files stored on your computer by websites — to transfer funds or hijack accounts.
Chrome 80 seeks to prevent cookie exploitation by enforcing a new cookie classification system. This system would add security to cookies.
Currently, web developers can indicate how cookies behave using the ‘SameSite’ attribute. SameSite could allow developers to lock access to a given cookie unless the URL matches the one in the address bar. Alternatively, developers could lock cookies so they only work when a website uses secure HTTP methods, such as HTTPS.
In other words, developers can set their cookies to be ‘first-party only,’ which means they only work on the website they come from. Developers can also set their cookies to be ‘third-party,’ which means they work across websites. Unfortunately, developers didn’t have to specify the SameSite attribute, but that’s changing now.
Chrome 80 makes cookies ‘secure-by-default’
With Chrome 80, the browser will treat all cookies that don’t have a specified SameSite attribute as if they had the ‘SameSite=Lax’ attribute. This restricts those cookies to first-party only use. Further, it effectively shuts down cross-site tracking from these cookies.
However, developers who want to enable third-party cookies will need to specify the SameSite attribute as ‘None’ and ‘Secure,’ which forces third-party cookies to be sent over more secure HTTPS connections.
Ultimately, this change benefits users by enabling more secure cookies by default. It could also break products and services that rely on cross-site tracking which, depending on your view, is good or bad. For example, it could stop sites from showing ads based on your internet history, but it could also break embedded content like YouTube videos and tweets — assuming those cookies don’t use SameSite attributes already.
Of course, Google wants to give developers time to adapt before shipping a significant change that could potentially break sites and services. As such, Chrome won’t enforce the change until later in February. When Chrome does begin enforcing the new rules, it will start with a small group of users and gradually increase over time.
Web developers interested in learning more about the change should check out the Chromium team’s blog post about the change.