Google will start rolling out a new version of Chrome that can prevent cross-site tracking today, February 4th. The tech giant first revealed that it was working on the feature in mid-2019 in an effort to prevent security issues caused by cookie vulnerabilities — bad actors, for instance, could transfer funds or hijack accounts by exploiting browser cookies. Chrome 80 could help prevent those situations from happening by enforcing “a new secure-by-default cookie classification system.”
See, web developers can indicate how cookies, or those small files your browser stores from the websites you visit, behave using the “SameSite” attribute. They can make it so that a browser can access cookies only when their URL matches the URL in the address bar or when the destination website uses “safe HTTP methods.” They can also make cookies track users across sites. However, using the attribute is optional, and cookies without it can automatically track you across the sites you visit.
To help mitigate sign-on issues, Chrome has introduced a new feature that allows cookies without a specified SameSite setting to be available for the type of top-level cross-site POST request typically used for sign-on flows. The “Lax + POST” mitigation, as it’s called, gives the cookie just two minutes to carry out its intended function. That said, the Googleis giving developers time to transition. While the Chrome update itself will start making its way to users today, Google won’t start enforcing the new cookie classification system until later this month “with a small population of users, gradually increasing over time.”
Google has also warned that enterprise administrators may need to implement special policies to revert Chrome to legacy behaviour if internal applications have not yet been updated to meet Chrome’s new expectations. Overall, this change should further bolster web security for ordinary users.