WTF is Chrome's SameSite cookie update? - Digiday:
On February, 4, Google is set to roll out a new Chrome update that promises a bunch of new features designed to make the browser faster and more secure — including a new approach to cookies.
The SameSite update will require website owners to explicitly state label the third-party cookies that can be used on other sites. Cookies without the proper labelling won't work in the Chrome browser, which has 64% of the overall browser market, according to Stacounter.
Google first announced in May last year that cookies that do not include the "SameSite=None" and "Secure" labels won't be accessible by third parties, such as ad tech companies, in Chrome version 80 and beyond. The Secure label means cookies need to be set and read via HTTPS connections.
Right now, the Chrome SameSite cookie default is: "None," which allows third-party cookies to track users across sites. But from February, cookies will default into "SameSite=Lax," which means cookies are only set when the domain in the URL of the browser matches the domain of the cookie — a first-party cookie.
Any cookie with the "SameSite=None" label must also have a secure flag, meaning it will only be created and sent through requests made over HTTPs. Meanwhile, the “SameSite=Strict” designation restricts cross-site sharing altogether, even between different domains that are owned by the same publisher.
Mozilla’s Firefox and Microsoft's Edge say they will also adopt the SameSite=Lax default.
Related Stories
https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/
Cookies like to get around. They have no scruples about where they go save for some basic constraints relating to the origin from which they were set. I mean have a think about it:
If a website sets a cookie then you click a link to another page on that same site, will the cookie be automatically sent with the request? Yes.
What if an attacker sends you a link to that same website in a malicious email and you click that link, will the cookie be sent? Also yes.
Last one: what if an attacker directs you to a malicious website and upon visiting it your browser makes a post request to the original website that set the cookie - will that cookie still be sent with the request? Yes!
Cookies just don't care about how the request was initiated nor from which origin, all they care about is that they're valid for the requested resource. "Origin" is a key word here too; those last two examples above are "cross-origin" requests in that they were initiated from origins other than the original website that set the cookie. Problem is, that opens up a rather nasty attack vector we know as Cross Site Request Forgery or CSRF. Way back in 2010 I was writing about this as part of the OWASP Top 10 for ASP.NET series and a near decade on, it's still a problem.
This is a followup to our previous story that provides some excellent details and explanations.
Temporarily rolling back SameSite Cookie Changes
With the stable release of Chrome 80 in February, Chrome began enforcing secure-by-default handling of third-party cookies as part of our ongoing effort to improve privacy and security across the web. We've been gradually rolling out this change since February and have been closely monitoring and evaluating ecosystem impact, including proactively reaching out to individual websites and services to ensure their cookies are labeled correctly.
However in light of the extraordinary global circumstances due to COVID-19, we are temporarily rolling back the enforcement of SameSite cookie labeling, starting today. While most of the web ecosystem was prepared for this change, we want to ensure stability for websites providing essential services including banking, online groceries, government services and healthcare that facilitate our daily life during this time. As we roll back enforcement, organizations, users and sites should see no disruption.
Also at The Verge, Android Police, Engadget, and Forbes.
Previously: WTF is Chrome's SameSite Cookie Update?
Promiscuous Cookies and their Impending Death via the SameSite Policy
(Score: 2) by Runaway1956 on Saturday January 04 2020, @11:39AM (1 child)
Google analytics, and all of it's brethren won't be blocked by a browser built by Google.
(Score: 0) by Anonymous Coward on Saturday January 04 2020, @11:56AM
Just like Microsoft spyware won't be blocked by Windows.
(Score: 4, Insightful) by Anonymous Coward on Saturday January 04 2020, @11:59AM (5 children)
This is not a replacement for ad blockers. It may be their justification, but it is not a replacement.
(Score: 5, Informative) by SpockLogic on Saturday January 04 2020, @02:27PM (1 child)
I use " Cookie AutoDelete" in Firefox together with uBlock Origin and that seems to do a fairly good job of thwarting the fuckers.
Overreacting is one thing, sticking your head up your ass hoping the problem goes away is another - edIII
(Score: 2) by corey on Sunday January 05 2020, @08:48PM
I have used this combo the past few years and it works well. I get popup notifications seconds after closing a tab saying X (eg. 15) cookies deleted. When I check what cookies I have, Facebook and Google don't exist there.
Vanilla Cookie Manager for Chrome is equivalent and works great too.
Obviously you can create whitelist of good cookies like Soylentnews.
(Score: 3, Informative) by zocalo on Saturday January 04 2020, @04:33PM
Still, I guess what it will let you do is proactively block and/or remove cookies with that configuration, most likely via a suitable ad-blocking extension that will ofter whitelists and other more fine-grained controls. Frankly, if a company isn't concerned enough about my security and privacy to set an appropriate SameSite configuration, then I don't see any reason why I should let them put them there in the first place, let alone do business with them.
UNIX? They're not even circumcised! Savages!
(Score: 2) by Joe Desertrat on Saturday January 04 2020, @10:43PM (1 child)
Their justification is that if third party advertisers want tracking data on users, they'll have to buy it from Google.
(Score: 0) by Anonymous Coward on Sunday January 05 2020, @05:42PM
I agree with you. Browser devs should completely abandon attempts at privacy protection because no matter what they do, they will never clear your bar, so why even bother? Then you get to complain that they don't care about privacy. Win-Win!!