Security

Google warns devs as it tightens Chrome cookie security: Stuff will break if you're not clued up

You'll have to tag those for cross-site use from February

By Tim Anderson

22 SHARE

Google is asking developers to get ready for more secure cookie settings to be implemented in Chrome 80 that is planned for release in February 2020.

The announced changes relate to the SameSite cookie attribute. First specified in July 2016, the SameSite attribute is set by the developer when the cookie is planted, and can be either "strict", "lax", "none" or omitted.

These settings (provided the browser supports them) control what happens when the browser requests content from a site other than the one you are visiting, such as when an ad is displayed. If it is set to strict, no cookies are sent to the third-party site. If it is set to lax, no cookies are sent unless you click a link that takes you to that site, in which case they are sent. If it is set to none, cookies set by the third-party site are always sent.

The SameSite attribute protects users from cross-site request forgery, where you are logged into site A and a script on site B impersonates you by sending a request to site A. If site A receives your session cookie, that request would appear to come from you.

Google puts Chrome on a cookie diet (which just so happens to starve its rivals, cough, cough...)

READ MORE

The major browsers, including Chrome, have supported this attribute for years, but Google has been gradually tightening security. Now it is moving to the next stage and implementing two changes:

Google is flagging up this issue for developers because the change in behaviour could break some features, such as single sign-on for business applications, if developers do not implement the required attributes. The change also impacts frameworks that set cookies. Enterprise administrators will be able to disable the new behaviour if necessary.

Although this is a welcome (perhaps overdue) change, it is not great for tracking protection, since advertisers that want to see tracking cookies can ensure that they set the required attributes. Users can of course set "Block third-party cookies" in the browser but this is off by default in most browsers since it breaks functionality. Firefox, for example, warns that blocking all third-party cookies "may cause websites to break").

Firefox offers specific blocking of tracking cookies, and warns against blocking all third-party cookies

Mozilla has taken a more proactive line on the matter of tracking cookies by using a list of services that set tracking cookies and blocking third-party cookies from those sites only. This is now on by default in Firefox, but to use it in Chrome you need an extension.

You can block all third-party cookies in Chrome, but it is a crude solution

Google takes a different view, arguing: "Blunt approaches to cookie blocking have been tried, and in response we have seen some user-tracking efforts move underground, employing harder-to-detect methods that subvert cookie controls. These methods, known as 'fingerprinting,' rely on various techniques to examine what makes a given user's browser unique."

Fingerprinting grabs what information it can about the user's browser and machine to track identity without relying on cookies. Google is promising to "more aggressively restrict fingerprinting across the web", but this is non-trivial and implementation will be imperfect. Google is also concerned about what it calls the "web ecosystem", no doubt including its own income from advertising and investment in personalisation, which means it is not a neutral party in respect of this issue.

Google does note that, once we reach the point where all cross-site cookies have these attributes set, "browsers could offer users fine-grained controls to manage cookies that are only accessed by a single site separately from cookies accessed across multiple sites." This is still challenging, though, since not all cross-site cookies are harmful.

Google's efforts to tighten web standards are welcome in that as the maker of the dominant web browser, it has the clout to ensure that changes are implemented. That said, it lacks incentive to make its web browser the best in terms of privacy, which means rivals like Mozilla Firefox are likely to stay ahead in this area.®

Sign up to our NewsletterGet IT in your inbox daily

22 Comments

Keep Reading

Google to appeal against €7m fine from Swedish watchdog for failing to remove search results under GDPR

Right to be forgotten? We forgot...

Google reveals the wheels almost literally fell off one of its cloudy server racks

Crushed rollers sent rack into the red until techies solved wheely obscure problem

Campaigners cry foul play as Oracle funds conservative lobby group supporting its court case against Google

Google-funded think tanks need to sit back and, er, have a think

Virtual reality: Now even the online Google Cloud Next event is postponed

No, this is not business as usual as the C-virus continues to wreak havoc

Google Takeout a bit too true to its name after potentially 1000s of private videos shared with complete strangers

1% of 1% of users affected, but as it's Google that's still in the six figures

I/O, I/O, no work from home for show: Google will not hold 2020 event 'in any capacity'

Developers advised to check blogs and forums for product news

Artful prankster creates Google Maps traffic jams by walking a cartful of old phones around Berlin

Silent geolocation-dependent services are so reliable

From Gmail to Gfail: Google's G-Suite topples over for unlucky netizens, rights itself

Updated East Coast looks to be hardest hit. C'mon, Chocolate Factory, we're relying on you to pull us through

Devs invited to bake 'Run on Google Cloud' button into git repos... By Google, of course

An offer you can refuse?

Low code? Low usage, more like: Add G Suite's App Maker to the Google graveyard, it's switching off next year

Dun-dun-dun, another one bites the dust

Tech Resources

Webcast Slide Deck | Why you need managed detection and response

These slides support the webcast brought to you by The Register and sponsor Open Systems. Traditional security practices are just not working. Threats are becoming more sophisticated, you are managing too many disconnected products, with too many manual processes. You can’t get the skills and the costs of securing your infrastructure are spiralling. Is this you? If so, you need to integrate your disconnected products and management if you want to survive. Managed detection and response (MDR) is the new best practice.

Unlock the Value of SD-WAN

This white paper explores how users can plan for ROI and network transformation with SD-WAN.

The Total Economic Impact™ Of CrowdStrike Falcon®

Forrester estimates that a composite customer could generate an estimated 316% ROI with payback in less than three months.

A Step-by-Step Guide to Building a Scalable Vendor Onboarding Process

Vendors are at the heart of many companies’ processes and activities, and their numbers are increasing. In fact, according to a recent study by the Ponemon Institute, the average number of third parties employed by companies rose from 378 in 2016 to 588 in 2018.