Google Chrome SameSite cookie policies

Last update: Mon Jul 17 2023 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Developer

Google will begin to impose new cookie policies by default for users beginning with Chrome 80, which is slated to be released in early 2020. This article explains all you need to know about the new SameSite cookie policies, how Adobe Target supports these policies, and how you can use Target to comply with Google Chrome’s new SameSite Cookie Policies.

Starting with Chrome 80, web developers must explicitly specify which cookies can work across websites. This is the first of many announcements that Google plans to make to improve privacy and security on the web.

Given the fact that Facebook has been on the hot seat with regards to privacy and security, other major players such as Apple, and now Google, have been quick to capitalize on the opportunity to create new identities as privacy and security champions. Apple led the pack by first announcing changes to its cookie policies early this year through ITP 2.1 and recently, ITP 2.2. In ITP 2.1, Apple completely blocks third-party cookies and keeps cookies created on the browser for only seven days. In ITP 2.2, cookies are kept for only one day. Google’s announcement is nowhere near as aggressive as Apple’s, but it is the first step toward the same end goal. For more information on Apple’s policies, see Apple Intelligent Tracking Prevention (ITP) 2.x.

What are cookies and how are they used?

Before we dive into Google’s changes to its cookies policies, let’s touch upon what cookies are and how they are used. Simply put, cookies are small text files stored in the web browser that are used to remember user attributes.

Cookies are important because they enhance the user’s experience as they browse the web. For example, if you are shopping on an eCommerce website and add something to your cart but don’t sign in or purchase in that visit, cookies remember your items and keep them in your cart for your next visit. Or, imagine if you were forced to re-input your username and password every time you visit your favorite social media website. Cookies solve that problem too, because they store information that helps sites identify who you are. These kinds of cookies are called first-party cookies because they are created and used by the website you visited.

Third-party cookies also exist. To better understand them, let’s consider this example:

Let’s say a hypothetical social media company called “Friends” provides a Share button that other sites implement to allow Friends users to share the site’s content on the Friends feed. Now, a user reads a news article on a news website that’s using the Share button and clicks it to automatically post on their Friends account.

For this to happen, the browser fetches the Friends Share button from platform.friends.com when the news article is loaded. Within this process, the browser attaches Friends cookies, which contain the logged-in credentials of the user, to the request to Friends servers. This allows Friends to post the news article in its feed on the user’s behalf without requiring the user to log in.

This is all possible by using third-party cookies. In this case, the third-party cookie is saved on the browser for platform.friends.com, so that platform.friends.com can make the post in the Friends app on the user’s behalf.

If you imagine for a moment how to achieve this use case without third-party cookies, the user would have to follow a lot of manual steps. First, the user would have to copy the link to the news article. Second, the user would have to log into the Friends app separately. Then, the user would click on the Create Post button. Then the user would copy and paste the link in the text field, and finally click Post. As you can see, third-party cookies immensely help the user experience as manual steps can be drastically reduced.

More generally, third-party cookies make it possible for data to be stored on a user’s browser without requiring that user to explicitly visit a website.

Security concerns

Although cookies enhance user experiences and power advertising, they can also introduce security vulnerabilities like Cross-Site Request Forgery (CSRF) attacks. For example, if a user logs in to a banking site to pay credit card bills and leaves the site without logging out and then browses to a malicious site in the same session, a CSRF attack can occur. The malicious site could include code that makes a request to the banking site that executes when the page loads. Because the user is still authenticated to the banking site, the session cookie can be used to launch a CSRF attack to initiate a funds transfer event out of the user’s bank account. This is because whenever you visit a site, all the cookies are attached in the HTTP request. And because of these security concerns, Google is now attempting to mitigate them.

How does Target use cookies?

With all that said, let’s see how Target uses cookies. In order for you to use Target in the first place, you need to install the Target JavaScript library on your site. This enables you to place a first-party cookie on the browser of the user that visits your site. As your user interacts with your website, you can pass the user’s behavioral and interest data to Target through the JavaScript library. The Target JavaScript library uses first-party cookies to extract identification information about the user to map to the user’s behavior and interest data. This data is then used by Target to power your personalization activities.

Target also (sometimes) uses third-party cookies. If you own multiple websites that live on different domains and you want to track the user journey across those websites, you can use third-party cookies by leveraging cross-domain tracking. By enabling cross-domain tracking in the Target JavaScript library, your account will start using third-party cookies. As a user hops from one domain to another, the browser communicates with the backend server of Target, and in this process, a third-party cookie is created and placed on the user’s browser. Through the third-party cookie that lives on the user’s browser, Target is able to deliver a consistent experience across different domains for a single user.

To provide safeguards around when cookies are sent across sites so that users are protected, Google plans to add support for an IETF standard called SameSite, which requires web developers to manage cookies with the SameSite attribute component in the Set-Cookie header.

There are three different values that can be passed into the SameSite attribute: Strict, Lax, or None.

Value
Description
Strict
Cookies with this setting can be accessed only when visiting the domain on which it was initially set. In other words, Strict completely blocks the cookie from being used across sites. This option would be best for applications that require high security, such as banks.
Lax
Cookies with this setting are sent only on same-site requests or top-level navigation with non-idempotent HTTP requests, like HTTP GET. Therefore, this option would be used if the cookie can be used by third-parties, but with an added security benefit that protects users from being victimized by CSRF attacks.
None
Cookies with this setting will work the same way as cookies work today.

Keeping the above in mind, Chrome 80 introduces two independent settings for users: “SameSite by default cookies” and “Cookies without SameSite must be secure.” These settings will be enabled by default in Chrome 80.

SameSite dialog box

  • SameSite by default cookies: When set, all cookies that don’t specify the SameSite attribute will automatically be forced to use SameSite = Lax.
  • Cookies without SameSite must be secure: When set, cookies without the SameSite attribute or with SameSite = None need to be Secure. Secure in this context means that all browser requests must follow the HTTPS protocol. Cookies that do not adhere to this requirement are rejected. All websites should use HTTPS to meet this requirement.