Last year Google announced its intention to slowly roll out changes regarding the way Chrome SameSite cookies worked. This has included the way that third party cookies and and cross site tracking is handled with SameSite attribution. In April Google rolled back to the implementation of SamSite cookie changes in order guarantee stability for websites that were providing essential services during the COVID-19 pandemic. A few months later and Google is ready to bring the changes back.
What Are Cross Site Tracking Cookies?
Cross-site tracking cookies essentially manage user session and can be used to track a user across various websites that aren’t given SameSite attribution. This is where a browser, such as Chrome, can only access cookies if the URL either matches what’s in the address bar practices ‘safe HTTP methods’.
The problem with cross-site tracking is the security vulnerabilities it poses. It can and has been used by bad actors to steal user accounts and money.
This is why Google has been rolling out a stricter cookie system for Chrome since last year. Under the new cookie classification system a site developer needs to set up SameSite variables for their cookies. Failure to do so will set the cookies to secure by default, which has the potential to cause breakages on websites that rely on cross-site tracking. A good example of this are retail sites.
While this sounds like terrible news for anyone who relies on third party cookies, Google will be replacing these with a ‘privacy sandbox’ that enables advertisers to still deliver ads to users but for those individuals to only share minimal information back in terms of browsing habits and other general information.
Chrome SameSite Cookies And COVID-19
Due to the impact that the new cookie classification system could have on websites, Google chose to roll it back in April due to COVID-19.
"In April, we temporarily rolled back the enforcement of SameSite cookie labeling to ensure stability for websites providing essential services in the critical initial stage of COVID-19 response," Justin Schuh, Director of Chrome Engineering, said in a blog post.
Schuh went onto state that the company had been monitoring the "overall ecosystem readiness" during this time to ensure websites and services were ready for the new SameSite labelling roll out. He also confirmed that the SameSite cookie reinforcement would coincide with the release of Chrome 84 on July 14, which will be July 15 here in Australia.
"As with the previous roll out, the enforcement will be gradual and we will keep you informed on timing and any possible changes on the SameSite Updates page on Chromium.org. Our overall guidance for developers hasn’t changed and you can find more information along with resources and channels to provide feedback in this previous Chromium post and on Web.dev," Schuh said.
Once the re-rollout begins devs will need to add a SameSite attribution to avoid breakages. As we reported several months back, the default tag will be 'SameSite=Lax' if no action is taken. And as Google Engineer Lily Chen noted back in January -- “Some sites relying on third-party cookies may break temporarily until developers add 'SameSite=None'."