Google Chrome 80 SameSite Cookie Enforcement Could Break Some Websites
Google has just rolled out version 80 of Chrome, perhaps the world's most used web browser on both computers and mobile devices. It brings some very nice changes, like quieter notification requests, but has one change that could break how some websites work for a limited number of users. Unfortunately, this might be the type of wake up call needed for site owners and developers to step up and make the changes needed to protect their visitor's privacy.
Cookies continue to serve some purpose which is why we can never be truly be rid of them. Unfortunately, they have also become one of the biggest sources of abuse, especially when it comes to tracking users' browsing activities. Google's solution is to enforce a policy that requires web site owners and developers to properly mark their cookies but, if left unchecked and unchanged, could break some sites.
At the heart of the matter are cross-site cookies, that is, cookies with data coming from a different web service than the one the user is currently viewing. In addition to being used for tracking for advertisement purposes, such cookies may also be used when embedding content like YouTube videos or single sign-on workflows, like when you sign in to your Google Account to log into some non-Google service or app.
With Chrome 80, cookies that are not properly marked with the SameSite standard will be automatically marked as "Lax" and will only work if they're used to access a service that comes from the same website (a "first-party" cookie). Third-party cookies that need to work on other sites have to be properly marked and, additionally, served via encrypted HTTPS. It will break some sites but Google won't be making such a heavy-handed change all at once.
While Chrome 80 is rolling out now, SameSite enforcement won't be switched on until February 17. Even then, it will only be enabled for a limited number of users at first. This gives not only site developers time to make the necessary changes to adhere to the new policy but also lets Google respond to whatever backlash the security feature may generate, especially from its own advertising partners.