Security

Google warns devs as it tightens Chrome cookie security: Stuff will break if you're not clued up

You'll have to tag those for cross-site use from February

By Tim Anderson

22 SHARE

Google is asking developers to get ready for more secure cookie settings to be implemented in Chrome 80 that is planned for release in February 2020.

The announced changes relate to the SameSite cookie attribute. First specified in July 2016, the SameSite attribute is set by the developer when the cookie is planted, and can be either "strict", "lax", "none" or omitted.

These settings (provided the browser supports them) control what happens when the browser requests content from a site other than the one you are visiting, such as when an ad is displayed. If it is set to strict, no cookies are sent to the third-party site. If it is set to lax, no cookies are sent unless you click a link that takes you to that site, in which case they are sent. If it is set to none, cookies set by the third-party site are always sent.

The SameSite attribute protects users from cross-site request forgery, where you are logged into site A and a script on site B impersonates you by sending a request to site A. If site A receives your session cookie, that request would appear to come from you.

Google puts Chrome on a cookie diet (which just so happens to starve its rivals, cough, cough...)

READ MORE

The major browsers, including Chrome, have supported this attribute for years, but Google has been gradually tightening security. Now it is moving to the next stage and implementing two changes:

Google is flagging up this issue for developers because the change in behaviour could break some features, such as single sign-on for business applications, if developers do not implement the required attributes. The change also impacts frameworks that set cookies. Enterprise administrators will be able to disable the new behaviour if necessary.

Although this is a welcome (perhaps overdue) change, it is not great for tracking protection, since advertisers that want to see tracking cookies can ensure that they set the required attributes. Users can of course set "Block third-party cookies" in the browser but this is off by default in most browsers since it breaks functionality. Firefox, for example, warns that blocking all third-party cookies "may cause websites to break").

Firefox offers specific blocking of tracking cookies, and warns against blocking all third-party cookies

Mozilla has taken a more proactive line on the matter of tracking cookies by using a list of services that set tracking cookies and blocking third-party cookies from those sites only. This is now on by default in Firefox, but to use it in Chrome you need an extension.

You can block all third-party cookies in Chrome, but it is a crude solution

Google takes a different view, arguing: "Blunt approaches to cookie blocking have been tried, and in response we have seen some user-tracking efforts move underground, employing harder-to-detect methods that subvert cookie controls. These methods, known as 'fingerprinting,' rely on various techniques to examine what makes a given user's browser unique."

Fingerprinting grabs what information it can about the user's browser and machine to track identity without relying on cookies. Google is promising to "more aggressively restrict fingerprinting across the web", but this is non-trivial and implementation will be imperfect. Google is also concerned about what it calls the "web ecosystem", no doubt including its own income from advertising and investment in personalisation, which means it is not a neutral party in respect of this issue.

Google does note that, once we reach the point where all cross-site cookies have these attributes set, "browsers could offer users fine-grained controls to manage cookies that are only accessed by a single site separately from cookies accessed across multiple sites." This is still challenging, though, since not all cross-site cookies are harmful.

Google's efforts to tighten web standards are welcome in that as the maker of the dominant web browser, it has the clout to ensure that changes are implemented. That said, it lacks incentive to make its web browser the best in terms of privacy, which means rivals like Mozilla Firefox are likely to stay ahead in this area.®

Sign up to our NewsletterGet IT in your inbox daily

22 Comments

Related

Google Takeout a bit too true to its name after potentially 1000s of private videos shared with complete strangers

1% of 1% of users affected, but as it's Google that's still in the six figures

Artful prankster creates Google Maps traffic jams by walking a cartful of old phones around Berlin

Silent geolocation-dependent services are so reliable

Low code? Low usage, more like: Add G Suite's App Maker to the Google graveyard, it's switching off next year

Dun-dun-dun, another one bites the dust

Devs invited to bake 'Run on Google Cloud' button into git repos... By Google, of course

An offer you can refuse?

Breaking bad... browser use: New Mexico accuses Google of illegally slurping kids' private data via G Suite

Web giant hits back, says allegations are 'factually wrong'

Google Cloud embraces GitOps with new Application Manager for Kubernetes

Cloud giant aims to attract developers with code-oriented deployment automation

Ever wondered how Google-less Android might look? Step right this Huawei: Mate 30 Pro arrives on British shores

Ignores 'unwanted' presses from the fat-fingered too, apparently

Google's OpenSK lets you BYOSK – burn your own security key

Now there's no excuse

Google Chrome will check for leaked credentials every time you sign in anywhere

Double-encrypted. That said, if you're worried about over-sharing, what are you doing on Chrome?

My eyes thank you, Google: Android to get dark mode scheduling in future update

The feature was originally ditched over quality control issues

Whitepapers

Delivering Instant Experiences: Optimizing the Performance, Cost and Capacity of Data-Driven Applications

How can you accelerate data processing to keep up with accelerating business demands for an instant experience? Get the answer to this question and more in this webinar.

Customer Experiences for the New Decade: Tales, Learnings, and Pitfalls

In this session, César Marto, Associate Partner, Digital Technology from Deloitte will show you how any company can leverage emerging technologies such as AI and AR/VR to design innovative customer and partner experiences.

How to Fortify Your Organization’s Last Layer of Security – Your Employees

People impact security outcomes, much more often than any technology, policy or process.

Accelerate and Modernize Your SQL Server Deployments

Learn how Intel® Select Solutions for SQL Server are designed to enable simplified deployments and optimized performance for SQL Server environments.