Cross-Site Cookies and How Google Chrome Browser Update will Impact You
Google Chrome browser is the first browser that will be changing how they handle cross-site cookies. They will be doing this with the update to version 80 scheduled to be released in February 04, 2020 as announced at: https://www.chromium.org/updates/same-site. Other browsers are also in the process of similarly updating their handling of cross-site cookies. How does this impact you? Read below for details.
- What are cross-site cookies?
- Every cookie has a URL associated to it. If the URL associated to the cookie is not the same as the URL in the browser address bar, it is considered a cross-site cookie. (For more information go to: https://web.dev/samesite-cookies-explained/)
- g – The news.yahoo.com site has advertising content that creates a cookie associated to URL add.advertising.com. The user’s browser shows http://news.yahoo.com, but the URL associated to the cookie is add.advert.com.
- What is the change?
- Starting in February:
- If a cookie’s SameSite attribute is not specified, Chrome will assume SameSite=’Lax’, which will block access to cross-site cookies.
- If a cookie’s SameSite attribute is ‘None’, Chrome will allow access to cross-site cookies over HTTPS connections.
- If a cookie’s SameSite attribute is either ‘Lax’ or ‘Strict’, Chrome will block access to cross-site cookies.
- What should I do?
- If your site does use cross-site cookies, update the cookies to set the SameSite attribute to ‘None’
- You can test if there is an impact to your application by doing the following in Chrome:
- In the address bar enter the following URL ‘chrome://flags/#same-site-by-default-cookies’
- Set the flags ‘SameSite by default cookies’ and ‘Cookies without SameSite must be secure’ to ‘Enabled’ and restart the Chrome browser.
- Test all applicable flows that involve cookies, to determine if there is an impact.
- If there is an impact check with your identity federation service and/or application provider to see if they have provided any updates to cover this issue.
- Are Exostar products impacted by the change?
- Exostar products have been updated to be compatible with the changes coming with Chrome 80 in February 2020.
- This does not mean that your system that is integrated with Exostar products have been updated.
- Are other browsers impacted?
- At this time other browsers such as Firefox and Microsoft Edge have this as optional, and are planning to update in the future to implement this similarly to Google Chrome.
- Starting in February: