Blog

Cross-Site Cookies and How Google Chrome Browser Update will Impact You

Posted by: Do Lee January 22, 2020 Collaboration

Google Chrome browser is the first browser that will be changing how they handle cross-site cookies. They will be doing this with the update to version 80 scheduled to be released in February 04, 2020 as announced at: https://www.chromium.org/updates/same-site. Other browsers are also in the process of similarly updating their handling of cross-site cookies.  How does this impact you? Read below for details.

  • What are cross-site cookies?
    • Every cookie has a URL associated to it. If the URL associated to the cookie is not the same as the URL in the browser address bar, it is considered a cross-site cookie. (For more information go to: https://web.dev/samesite-cookies-explained/)
    • g – The news.yahoo.com site has advertising content that creates a cookie associated to URL add.advertising.com. The user’s browser shows http://news.yahoo.com, but the URL associated to the cookie is add.advert.com.
  • What is the change?
    • Starting in February:
      • If a cookie’s SameSite attribute is not specified, Chrome will assume SameSite=’Lax’, which will block access to cross-site cookies.
      • If a cookie’s SameSite attribute is ‘None’, Chrome will allow access to cross-site cookies over HTTPS connections.
      • If a cookie’s SameSite attribute is either ‘Lax’ or ‘Strict’, Chrome will block access to cross-site cookies.
    • What should I do?
      • If your site does use cross-site cookies, update the cookies to set the SameSite attribute to ‘None’
      • You can test if there is an impact to your application by doing the following in Chrome:
        • In the address bar enter the following URL ‘chrome://flags/#same-site-by-default-cookies’
        • Set the flags ‘SameSite by default cookies’ and ‘Cookies without SameSite must be secure’ to ‘Enabled’ and restart the Chrome browser.
        • Test all applicable flows that involve cookies, to determine if there is an impact.
        • If there is an impact check with your identity federation service and/or application provider to see if they have provided any updates to cover this issue.
      • Are Exostar products impacted by the change?
        • Exostar products have been updated to be compatible with the changes coming with Chrome 80 in February 2020.
        • This does not mean that your system that is integrated with Exostar products have been updated.
      • Are other browsers impacted?
        • At this time other browsers such as Firefox and Microsoft Edge have this as optional, and are planning to update in the future to implement this similarly to Google Chrome.