Version 80 of the Chrome browser is out with some new features designed to save your security and your sanity.
The latest version of Google’s browser rolled out this Tuesday, 4 February. There are several key changes, but one of the most significant is that it delivers on a promise it made in 2019 about how it handles cookies.
Cookies are the small files websites store in your browser to identify you on future visits. Two kinds of site can request a cookie from your browser. The first is the first-party site that you are visiting, which needs those cookies for things like logging you back in automatically. The second is a third-party site, which the original site might call out to.
There are many reasons for a first-party site to tell a third-party site that you are visiting. Some of them are annoying, like telling advertising companies where you are going online (tracking). Others are more innocuous, such as downloading scripts and fonts from third-party sites to give you a better experience. Either way, if the third-party site doesn’t manage cookies properly, or if another site manages to impersonate a legitimate third-party site, it could introduce security problems. So, Google has introduced tighter third-party cookie controls in Chrome.
The changes pivot around the SameSite tag, which is a draft Internet Engineering Task Force (IETF) standard proposed by Google and Mozilla. Developers can use it to tell browsers that cookies should not be sent with cross-site requests. It helps to eliminate things like cross-site request forgery (CSRF) attacks.
Under the new rules, Chrome 80 will introduce secure-by-default cookie classification using SameSite. If a cookie doesn’t come with an attached SameSite value, then the browser will treat that as though they were tagged SameSite=Lax. That’s the same as forbidding them to be sent to a third-party site.
For a cookie to be sent to a third party, a website developer will have to tag it as SameSite=None; Secure. That means it can only be sent to sites using HTTPS, which is the more secure, encrypted version of the Hypertext Transfer Protocol that web servers use to send a browser their web page data.