Our Blog

where we write about the things we love

16

Jan

The Chrome browser SameSite cookie change

Google is changing the behaviour of their Chrome browser to be secure by default when it comes to how they handle cookies. The change affects how cookies are handled based on a cookie property that will become mandatory called SameSite.

The Chrome browser SameSite cookie change

Google’s rationale is to make the web a safer place but to do that they need to introduce this significant “breaking” change to the Chrome browser. The old metaphor of “ripping the band-aid off quickly and dealing with the pain all at once” is at play here.

Chrome is the first major browser to change its default behaviour to be secure by default but the other major browsers including Mozilla’s Firefox, Apple’s Safari and Microsoft’s Edge have all said they will be following suit but the timelines for changes to those individual browsers are still unconfirmed. As Microsoft Edge is now based on the same Chromium engine as Google Chrome it is very likely the changes will be sooner rather than later.

Cookies?

Cookies have been around for a long time and are used by websites to store information in the browser and then allow the site to retrieve (and update) that information later-on. You can’t seem to go anywhere on the web anymore without getting a message along the lines of “We use cookies on this site to store information about your …” and requiring you to click acknowledge and click OK.

Cookies are also used for a variety of reasons beyond just storing online preferences. They are used in online advertising, in ecommerce sites such as shopping carts, in some identity platforms like Identity Server, in social media plug-ins, and that is just a few examples. 

How cookies work


Source: https://en.wikipedia.org/wiki/File:HTTP_cookie_exchange.svg

 

What is the benefit of this change?

Up until now the rules around how cookies are used have been quite open and potentially allowed some websites to store and access information in cookies they probably shouldn’t, both intentionally or unintentionally.

As a result of this change:

  • It will be harder to exploit cross-site vulnerabilities (also called cross-site request forgery or CSRF or XSRF) that allow an attacker to execute unwanted actions on a web application. When combined with a little social engineering like a fake bank email with a malicious link the result CSRF could be a malicious internet banking transfer from your online banking site.
  • Reduce the amount of data leakage that occurs through third-party cookie tracking. This is slightly ironical as Google’s primarily business of search engine-based marketing has long relied on that sort of data leakage. 

How did we get here?

Back in May 2019 Chromium announced the intent to change their browser behaviour. This is all based on an open internet standard from IETF that has been around since 2016 but not widely adopted. Google has decided to push the adoption of this standard by changing their browsers default behaviour. Over the last few months Google has been testing changes to their browser’s cookie handling behaviour via a number of beta releases. They have confirmed that on February 4th these changes will be part of the stable release of version 80 of Chrome.

What is the impact?

There hasn’t been a lot of noise or discussion about this change but Chrome is a widely used browser with 64% of the global market share (54% in New Zealand) according to stats from StatCounter. That represents a large proportion of web users to be potentially impacted by experiencing issues.

What should I do?

The potential impact on your organisation will be dependent on whether you’re providing or consuming a website or web-based service that supports the Chrome browser.

We are working with many of our customers to review and assess the potential impact of these changes with a focus on two areas:

  • Testing and assessing their web solutions and websites. Chrome has made tools available in their recent browser versions to test the impact of the SameSite cookie change.
  • Planning for the Enterprise rollout of version 80 of Chrome, including options for controlling the Enterprise roll-out of this new version of Chrome, so you don’t make it available until your organisation is ready.

Microsoft and many of the large cloud and software vendors are already putting measures in place to make changes to their platforms to be able to handle these changes. If you need some advice and help, then please get in touch.

 

More references:

Posted by: Nick Hadlee, Practice Manager | 16 January 2020

Tags: Browser, Client


Blog archive

Stay up to date with all insights from the Intergen blog