What is Google’s New Chrome SameSite Cookie Policy?

Google won’t officially commit 1-8-7 on third-party cookie tracking in Chrome for another two years—but come February 4, 2020, publishers will have to adjust their code to explicitly state how cookies will work across sites and potentially track users.

The changes will roll out with the release of Chrome 80 and cookies that have not been declared with the appropriate settings—defining how cookies are stored and fired—will not be available for external access. This will immensely impact publishers’ ability to target their audiences for advertising and content recommendation purposes. Other external services like third-party widgets and social embeds will also be affected.

Certainly, this move brings greater transparency and privacy to users, safeguarding them and the websites they trust from exposure to attacks such as Cross Site Request Forgery (CSRF). Such attacks can occur when bad actors cause a user’s browser to perform a malicious request against a site they are authenticated on, like perhaps making a falsified banking transfer. Events like this can happen today because most sites don’t have secure SameSite Cookie settings in place.

But one has to wonder, how much it further cements the tech behemoth’s dominance in ad market share? (Those are concerns left for other conversations.)

What Is the SameSite Cookie Attribute?

The SameSite cookie attribute was first defined in 2016—with origins for the Secure Cookie Flag dating back to 1997—allowing for third-party cookies to be restricted to either a first-party or same-site context. So when another site tries to request something from the original site the cookie won’t be sent.

The attribute also limits the risk of cross-origin information leakage.

Let’s take it back to my earlier banking scenario. With the right SameSite Cookie settings in place, if I were logged into my bank; didn’t log out,  and then visited another site, then a CSRF baddie couldn’t use my logged-in state to make a malicious request for that bank transfer because they wouldn’t be able to access my cookies.

The SameSite cookie attribute originally provided two different methods for defining when and how cookies are fired—Strict and Lax. In strict mode, cookies can not be used cross-site. In the lax mode, there are instances where cross-site usage would be allowed, such as when it is a GET request and the request is top-level.

Chrome’s update will set cookies to the default state of Lax under the Incrementally Better Cookies Policy proposed by the Internet Engineering Task Force.

SameSite Chrome Cookie Settings/Naming Conventions (MetaX)

What Are Chrome’s SameSite Changes?

Under the Incrementally Better Cookies Policy, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax, restricting the sharing of cookie data across sites. For external access, cookies will need to be set to SameSite=None; Secure and would have to be accessed from secure connections (sites and web applications with HTTPS using the SSL/TLS protocol to provide the secure connection). Just setting cookies to SameSite=None will not enable them to be sent across sites unless they are also tagged with the Secure attribute, requiring that encrypted connection.

Publishers should update their cookies to ensure they are still collecting data from their cookies. Just go to chrome://flags in Chrome 76 (and above) and enable “SameSite by default cookies” and “Cookies without SameSite must be secure” to see how the changes will behave on your site.

It’s also time to start testing whether your vendors—measurement, SSP and exchange partners—have also updated their cookies. Just check if they’re missing the required cookie setting by looking for Developer Tools console warnings in Chrome 77 (and above). It’s better to get ahead of any reconciliation nightmares or revenue losses ahead of the game.

Access to third-party cookie data can make or break an ad tech vendor’s business, so it would behoove them to get with the program—post haste.

Mozilla already supports the new cookie standard in Firefox60 and Microsoft has plans to implement the update in Microsoft Edge 80. In ITP 2.1, Apple completely blocks third-party cookies and limits storage of cookies created on the browser to only seven days. Meanwhile, in ITP 2.2, cookies are kept for only one day.

On the Road to the Third-Party Cookie’s Demise

On the road to greater user privacy, Chrome also offers users ad transparency tools, that surface insight into why they are being presented with specific ads, how to block them and which companies are involved in the ad servicing process, like ad networks DSPs and SSPs. The ability to disable third-party cookies has been available to users for some time now.

And while Google does plan to end third-party cookie tracking in Chrome in two years, there is a plan to replace it with the Privacy Sandbox, a set of APIs intended to preserve privacy while still enabling some of the measurement and tracking abilities that third-party cookies now provide.

While Chrome’s initiatives are nowhere near as aggressive as Apple’s, it is a sign that the third-party cookie’s usefulness is dwindling fast and publishers need to look for alternative solutions.