Security news that informs and inspires

Google Rolls Out SameSite Cookie Changes to Chrome

By

Google is finishing its rollout of the changes to the SameSite cookie in its Chrome web browser.

The new cookie classification system, which was introduced in Chrome 80 earlier this year, is finally on all updated versions of the browser. The SameSite update changes how the web browser handles third-party cookies as a way to avoid possible cross-site request forgery (CSRF) attempts using cookies. Site owners need to explicitly label third-party cookies with SameSite=None; Secure in order to use them on other sites. Improperly labeled third-party cookies will be blocked by Chrome.

“#SameSite cookie update now at 100% for Chrome 80+ (applies on restart),” the Twitter account Chrome Developers posted.

Cookies track user state, such as the fact that a person viewed a particular advertisement on a previous visit, or has been authenticated to access the site. Ad tech companies frequently use third-party cookies to track users as they move from site to site. These cookies can also be abused, as they can be used for malicious tracking and data leakage. In CSRF attacks, attackers trick users into executing unwanted actions on the site, such as transferring funds or changing their user information. For example, a user might click on a link in an email that allows a bad actor the ability to log into their banking website.

This change limits online tracking and increases privacy by default.

The SameSite update page maintained by the Chromium team noted the “target rollout population has been increased to 100% of users on Chrome Stable versions 80 and above, and the actual proportion of users with the new behavior enabled is now ramping up to 100% gradually. Users will receive the new behavior when they restart Chrome.”

Secure by Default

Chrome now requires the SameSite attribute to be set with both None and Secure labels. The Secure label forces the cookie to be set and read only over HTTPS connections. Third-party cookies must have both labels to avoid being rejected.

The default value of the SameSite attribute is now Lax, not None, which means the browser will withhold cookies on cross-site requests unless the user navigates to the URL from an external domain.

If the site owner did not explicitly set the SameSite attribute, Chrome will default to treating it as having the SameSite=Lax attribute. The Lax label means cookies are only set when the domain in the URL of the browser matches the cookie’s domain—making it a first-party cookie. In the past, the default assumption was None, which allowed third-party cookies to track users across sites.

Cookies set with SameSite=Strict restricts cross-site sharing entirely, even between different domains owned by the same publisher.

Chrome has a setting under "chrome://flags" that checks the SameSite attribute on the site’s cookies: #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure. Looking at the developer console in Chrome will also indicate if other vendors, such as ad tech and analytics providers are setting or accessing third-party cookies on sites without the correct labeling.

Broken Sites, Functionality

Google introduced the SameSite attribute in May 2016 with Chrome 51 and began enforcement in Chrome 80. When companies switched to the work-from-home model at the beginning of the pandemic, Google decided to delay SameSite Site enforcement for a few months. Chrome 81 was delayed, there was no Chrome 82, and the release of Chrome 83 was moved up by a few weeks. Chrome 84 for Windows, Mac, Linux, Android and iOS was released about a month ago.

There were concerns that any change in third-party cookie handling could negatively impact banking, grocery shopping, government, and other essential service sites, especially at a time when people were relying heavily on these portals and services.

With the update nearly complete for Chrome, there was still a “small minority of site operators with outstanding SameSite issues for things like payment integration, federated login, etc,” Google’s Justin Schuh said on Twitter.

This isn’t just a change for Chrome, as Mozilla’s Firefox and Microsoft’s Edge browsers are also making the change. Mozilla began rolling out the changes to its Beta channel with Firefox 79 in June. It has been the default in the Firefox pre-release browser since February. Mozilla has a Bugzilla hub to track broken functionality as it works with publishers to fix the issues.

There have been reports on GitHub some services on the gov.uk platform are no longer usable, such as broken elements and missing pictures, because the SameSite attribute was not set properly.

Microsoft had warned back in January that sites and applications that rely on OpenID-based federation could be affected by the SameSite change. There were updates to .NET to support the new SameSite attribute. Enterprise IT administrators should have made changes to how the cookies are being handled by now to avoid issues with single sign-on and internal applications.