Google is updating the cookie settings for Chrome V80 on the 4th February 2020. The updates could potentially affect cookie-reliant functionality on your website.
Cookies without adequate preparation won’t work in the Chrome browser, which has 64% of the overall browser market, according to Stacounter.
Background Information About Cookies
Cookies that are set in the browser have several different properties such as Name, Value, Domain, Expiry and Size etc. However, the two properties that we are interested in are SameSite and Secure.
The SameSite cookie flag is designed to determine what data is getting sent with reach request. At the moment, all cookie data is getting sent per request.
Hence the security risk as CRSF tokens gets sent with each request. Setting the flag of None, Lax or Strict defines to how accessible you want your cookie values to be.
For instance:
Strict:
Cookies wouldn’t be shared with any 3rd parties and all the 3rd party cookie requests are nullified. Only the site that sets the cookie can access it; on the same domain e.g. your-website.com.
Lax:
The new default from February, cookies are only set when the domain in the URL of the browser matches the domain of the cookie (1st party cookies) and also specified subdomains within your domain.
None:
This setting allows you to have 1st Party (cookies from your website) and 3rd party (cookies from any external websites). This is the default before the update on the 4th of February.
Note there is a slight anomaly with Google Analytics – as they are creating 1st party cookies through a 3rd party script.
Finally, the Secure attribute should be enabled to ensure cookies are set and sent over HTTPS.
What is the Change?
Google first announced in May last year that cookies that do not include the “SameSite=None” and “Secure” labels won’t be accessible by third parties, such as ad tech companies, in Chrome version 80 and beyond.
In other words, the default setting is changing from None (which allows 3rd party cookies) to Lax (which does not allow 3rd party cookies). All 3rd party cookies must be secure to ensure they are using HTTPS requests.
The official launch day is February 4th (Tuesday), 2020.
Why is the Change Happening?
The use of 3rd party cookies can make websites vulnerable to attacks such as malicious tracking, leaking of sensitive data and are susceptible to cross-site request forgery (CSRF) attacks.
“In order to move the web ecosystem to a more healthy place, we are changing the default behaviour for when SameSite is not specified to automatically default to a more secure option rather than a less secure option,” said a Google spokesperson.
Mozilla’s Firefox and Microsoft’s Edge say they will also adopt the SameSite=Lax default.
What are the Risks of Not Acting Now?
There are a few scenarios where failure to adhere to the new guidelines could affect your website:
1 – Single-sign on and Subscription Platforms
Companies that use 3rd party cookies for functionality such as membership platforms, subscription management and single sign-on across multiple websites will need to create an alternative solution. This is because the new Chrome update may require users to sign in multiple times, which would be a frustrating experience.
2 – Frequency Capping
Advertisers currently use a cross-domain user ID to manage the number of ads shown across various websites. If access to the 3rd party cookie is no longer available, then we will likely see an increase in consumers getting ads for products that they have already bought.
3 – Audience Analytics
In 2019, Apple shortened the life span of third-party cookies on Safari to seven days after updating its Intelligent Tracking Protection policy. This meant third-party audience analytics software, like Google Analytics, were at risk of having inflated audience numbers.
What do we need to do to prepare?
Publishers can begin testing whether their sites are affected by going to chrome://flags and enabling #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure to see whether anything breaks. They should also migrate to HTTPS secure pages if they haven’t done so already.
Google is encouraging publishers to review the alerts in their developer tools to check whether vendors, including ad tech and analytics providers, are setting or accessing third-party cookies on their sites without the correct labelling.
For companies who set 1st Party cookies that are used on other domains that they own, the cookies should be updated to follow the new guidelines.
To view the list of cookies a website has:
- Right-click the page and click Inspect.
- Then click the Application tab.
- Then under Storage > Cookies, select your current domain.
You can then see a breakdown of all the cookies on your website.
Please note, that any cookies with the same domain as your website are 1st party cookies and any cookies with a different domain are 3rd party cookies. We want to ensure that all cookies have the SameSite set to either None or Strict and ensure that the Secure attribute is checked.
Again, any 1st party cookies should have the settings updated to match the guidelines. For 3rd party cookies, please contact the relevant provider to update the settings.
Google’s response:
“With Chrome 80 in February, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections. The Chrome Platform Status trackers for SameSite=None and Secure will continue to be updated with the latest launch information.”
“Some providers (including some Google services) will implement the necessary changes in the months leading up to Chrome 80 in February; you may wish to reach out to your partners to confirm their readiness.”
Google Labs have released a fix for 1st Party cookies, where developers can update the cookie settings using a development language of their choice.
Final Thoughts
The industry is divided as to whether the SameSite update is a precursor to Google tightening wider cookie policy in the future, in a similar vein to Apple’s Intelligent Tracking Prevention and Firefox’s Enhanced Tracking Protection.
Similarly to when Doubleclick had to update its measurement protocol due to regulation from ITP2 from Apple, the implications for ad campaigns, attribution models (that include post-impression data) and audiences should be minimal, as it is in the best interests of the networks to address the solution on your behalf.
Some of the rhetoric around the subject online seems to mix up the change present in Chrome 80 with Google’s announcement that they will phase out 3rd party cookies by 2022, which is much bigger because a lot of DMP/DSP/programmatic real-time bidding technology is underpinned by the 3rd party cookie.
In any case, the new Chrome update will ensure that the user’s data is safer than before and safeguards against cross-site request forgery (CSRF) attacks.
Chrome already offers users the ability to block third-party cookies and to clear all their cookies. The SameSite change should allow users more nuanced control of their privacy settings as first-and third-party cookies will be more accurately designated — so they can clear ad-tracking cookies but leave their on-site login details and preferences unaffected.