Temporarily rolling back SameSite Cookie Changes
With the stable release of Chrome 80 in February, Chrome began enforcing secure-by-default handling of third-party cookies as part of our ongoing effort to improve privacy and security across the web. We've been gradually rolling out this change since February and have been closely monitoring and evaluating ecosystem impact, including proactively reaching out to individual websites and services to ensure their cookies are labeled correctly.
However in light of the extraordinary global circumstances due to COVID-19, we are temporarily rolling back the enforcement of SameSite cookie labeling, starting today. While most of the web ecosystem was prepared for this change, we want to ensure stability for websites providing essential services including banking, online groceries, government services and healthcare that facilitate our daily life during this time. As we roll back enforcement, organizations, users and sites should see no disruption.
Also at The Verge, Android Police, Engadget, and Forbes.
Previously: WTF is Chrome's SameSite Cookie Update?
Promiscuous Cookies and their Impending Death via the SameSite Policy
Related Stories
WTF is Chrome's SameSite cookie update? - Digiday:
On February, 4, Google is set to roll out a new Chrome update that promises a bunch of new features designed to make the browser faster and more secure — including a new approach to cookies.
The SameSite update will require website owners to explicitly state label the third-party cookies that can be used on other sites. Cookies without the proper labelling won't work in the Chrome browser, which has 64% of the overall browser market, according to Stacounter.
Google first announced in May last year that cookies that do not include the "SameSite=None" and "Secure" labels won't be accessible by third parties, such as ad tech companies, in Chrome version 80 and beyond. The Secure label means cookies need to be set and read via HTTPS connections.
Right now, the Chrome SameSite cookie default is: "None," which allows third-party cookies to track users across sites. But from February, cookies will default into "SameSite=Lax," which means cookies are only set when the domain in the URL of the browser matches the domain of the cookie — a first-party cookie.
Any cookie with the "SameSite=None" label must also have a secure flag, meaning it will only be created and sent through requests made over HTTPs. Meanwhile, the “SameSite=Strict” designation restricts cross-site sharing altogether, even between different domains that are owned by the same publisher.
Mozilla’s Firefox and Microsoft's Edge say they will also adopt the SameSite=Lax default.
https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/
Cookies like to get around. They have no scruples about where they go save for some basic constraints relating to the origin from which they were set. I mean have a think about it:
If a website sets a cookie then you click a link to another page on that same site, will the cookie be automatically sent with the request? Yes.
What if an attacker sends you a link to that same website in a malicious email and you click that link, will the cookie be sent? Also yes.
Last one: what if an attacker directs you to a malicious website and upon visiting it your browser makes a post request to the original website that set the cookie - will that cookie still be sent with the request? Yes!
Cookies just don't care about how the request was initiated nor from which origin, all they care about is that they're valid for the requested resource. "Origin" is a key word here too; those last two examples above are "cross-origin" requests in that they were initiated from origins other than the original website that set the cookie. Problem is, that opens up a rather nasty attack vector we know as Cross Site Request Forgery or CSRF. Way back in 2010 I was writing about this as part of the OWASP Top 10 for ASP.NET series and a near decade on, it's still a problem.
This is a followup to our previous story that provides some excellent details and explanations.
(Score: 2) by Runaway1956 on Monday April 06 2020, @12:43AM (1 child)
Let's turn off our well-thought-out security features, until the emergency is over!
Alright, someone try to convince me that this isn't stupid.
Abortion is the number one killed of children in the United States.
(Score: 2, Insightful) by Anonymous Coward on Monday April 06 2020, @12:55AM
Move slow and don't break things.
(Score: 0) by Anonymous Coward on Monday April 06 2020, @12:58AM (3 children)
Move forward to the future, not back to the past. If you keep up this retrograde thinking, you'll soon be releasing a browser that doesn't track users, and then forcing your female employees to go to the kitchen and make you a sandwich.
(Score: 3, Insightful) by Runaway1956 on Monday April 06 2020, @01:59AM (2 children)
So, win-win? Will I have to preface my request with sudo? sudo make_me_a_grilled_black_forest_ham_and_cheddar_on_wheat
Abortion is the number one killed of children in the United States.
(Score: 3, Touché) by hendrikboom on Monday April 06 2020, @04:12AM (1 child)
I just made one of those sandwiches for myself, just 10 minutes ago.
(Score: 5, Funny) by Runaway1956 on Monday April 06 2020, @07:16AM
So, it works, but we need to work on delivery.
Abortion is the number one killed of children in the United States.
(Score: 4, Insightful) by Rosco P. Coltrane on Monday April 06 2020, @02:25AM
They decide what goes and what doesn't now, thanks to their browser monopoly.
(Score: 3, Interesting) by corey on Monday April 06 2020, @04:43AM (3 children)
This morning my work laptop fan went flat out so I checked Task Manager. There was this strange task called 'software_reporter_tool'. Sounds dodgy.
So I DDG'd it, found what it was and how to disable it. It's basically spyware by Google.
https://www.ghacks.net/2018/01/20/how-to-block-the-chrome-software-reporter-tool-software_reporter_tool-exe/ [ghacks.net]
(Score: 4, Touché) by Unixnut on Monday April 06 2020, @07:43AM (1 child)
You installed google software. In all honesty what else did you think would happen?
(Score: 2) by corey on Monday April 06 2020, @11:54PM
Here, have a +1 Touche..
I normally use Firefox but there are is a website I use for work based on Microsoft Office 365 and Teams and SharePoint which doesn't work in Firefox so I use Chrome.
(Score: 2) by Pino P on Monday April 06 2020, @01:14PM
Does other antivirus software count as spyware as well?