Temporarily rolling back SameSite Cookie Changes
With the stable release of Chrome 80 in February, Chrome began enforcing secure-by-default handling of third-party cookies as part of our ongoing effort to improve privacy and security across the web. We've been gradually rolling out this change since February and have been closely monitoring and evaluating ecosystem impact, including proactively reaching out to individual websites and services to ensure their cookies are labeled correctly.
However in light of the extraordinary global circumstances due to COVID-19, we are temporarily rolling back the enforcement of SameSite cookie labeling, starting today. While most of the web ecosystem was prepared for this change, we want to ensure stability for websites providing essential services including banking, online groceries, government services and healthcare that facilitate our daily life during this time. As we roll back enforcement, organizations, users and sites should see no disruption.
WTF is Chrome's SameSite cookie update? - Digiday:
On February, 4, Google is set to roll out a new Chrome update that promises a bunch of new features designed to make the browser faster and more secure — including a new approach to cookies.
The SameSite update will require website owners to explicitly state label the third-party cookies that can be used on other sites. Cookies without the proper labelling won't work in the Chrome browser, which has 64% of the overall browser market, according to Stacounter.
Google first announced in May last year that cookies that do not include the "SameSite=None" and "Secure" labels won't be accessible by third parties, such as ad tech companies, in Chrome version 80 and beyond. The Secure label means cookies need to be set and read via HTTPS connections.
Right now, the Chrome SameSite cookie default is: "None," which allows third-party cookies to track users across sites. But from February, cookies will default into "SameSite=Lax," which means cookies are only set when the domain in the URL of the browser matches the domain of the cookie — a first-party cookie.
Any cookie with the "SameSite=None" label must also have a secure flag, meaning it will only be created and sent through requests made over HTTPs. Meanwhile, the “SameSite=Strict” designation restricts cross-site sharing altogether, even between different domains that are owned by the same publisher.
Mozilla’s Firefox and Microsoft's Edge say they will also adopt the SameSite=Lax default.
https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/
Cookies like to get around. They have no scruples about where they go save for some basic constraints relating to the origin from which they were set. I mean have a think about it:
If a website sets a cookie then you click a link to another page on that same site, will the cookie be automatically sent with the request? Yes.
What if an attacker sends you a link to that same website in a malicious email and you click that link, will the cookie be sent? Also yes.
Last one: what if an attacker directs you to a malicious website and upon visiting it your browser makes a post request to the original website that set the cookie - will that cookie still be sent with the request? Yes!
Cookies just don't care about how the request was initiated nor from which origin, all they care about is that they're valid for the requested resource. "Origin" is a key word here too; those last two examples above are "cross-origin" requests in that they were initiated from origins other than the original website that set the cookie. Problem is, that opens up a rather nasty attack vector we know as Cross Site Request Forgery or CSRF. Way back in 2010 I was writing about this as part of the OWASP Top 10 for ASP.NET series and a near decade on, it's still a problem.
(Score: 2) by Runaway1956 on Monday April 06, @12:43AM (1 child)
Let's turn off our well-thought-out security features, until the emergency is over!
Alright, someone try to convince me that this isn't stupid.
(Score: 0) by Anonymous Coward on Monday April 06, @12:55AM
Move slow and don't break things.
(Score: 0) by Anonymous Coward on Monday April 06, @12:58AM
Move forward to the future, not back to the past. If you keep up this retrograde thinking, you'll soon be releasing a browser that doesn't track users, and then forcing your female employees to go to the kitchen and make you a sandwich.