Everything About Chrome Samesite Cookie Changes

02.09.2019
|
Reading time: 5 min.
Everything About Chrome Samesite Cookie Changes

Management Summary

Since launching Chrome, Google's goal has been to keep the browser fast, simple, stable and secure. For this reason, Google announced on May 7, 2019 at the I/O developer conference that it would adapt its browser in terms of data protection - especially with regard to how cookies are used. Read in this chapter what effects the new SameSite attribute has on tracking.

Cookies and the SameSite attribute

As is well known, cookies are used for various purposes. However, browsers see different types ofCookies are usually the same. This also makes it difficult to see how and what each cookie is used for. If users now delete all cookies, all online settings such as automatically filled form data will be reset.When it comes to data security,are rigid solutions that generally block all cookiesnot the solutionbecause they significantly impact the user experience.The SameSite attribute is intended to help here.This defines which cookies can be read across websites and which ones this should not be possible. This is intended to give users more control over the use of their data while protecting against cross-site injection attacks.“In the coming months, Chrome will require developers to use this mechanism to define the SameSite attribute on their own cookies as well. This change will then allow users to delete only certain cookies, depending on how they are used. This will allow, for example, to delete cookies that are read across websites, while also retaining cookies that are used for user logins and preferences. Additionally, browsers can provide clear information about which websites are setting these cookies, so that users can make informed decisions about how their data is used will be.”Chromium Blog.

Changes regarding “SameSite Attribute”

  1. Cookies with SameSite by defaultSince Chrome 76 (released on July 30th), this feature can be activated by a flag to test it.
    Starting with Chrome 80 (planned release on February 4, 2020), this feature will be activated automatically.
  2. Reject insecure SameSite=None cookiesSince Chrome 76 (released on July 30th), this feature can be activated by a flag to test it.
    Starting with Chrome 80 (planned release on February 4, 2020), this feature will be activated automatically.

Quick info: Chrome FlagsNew Chrome features can be tested locally using Chrome Flags. They are called in the address bar with “chrome://flags”

Change 1 – Cookies with SameSite by default

The new cookie attribute “SameSite” can take on three different values ​​in Chrome:

  • NoneIf this value is not set, the cookie continues to behave as a classic 3rd party cookieFor exampleThe cookies that Google itself uses within its advertising network will probably be marked with SameSite=None.
  • StrictlyIn this case, the browser can only read the cookie if there is a 1st-party context, this means that a cookie set on https://e-dialog.group with SameSite=Strict can only be read on the address https://e-dialog.group,
    However, if the user lands on the website through a link from another page or email, a cookie with SameSite=Strict will not be read during this initial page view.
    It can be used, for example, for cookies relating to changing passwords or online purchases
  • LaxCookies with SameSite=Lax behave like strict cookies, with the difference that the cookie is also read during the initial page view if the user accesses the page via a link.

If this attribute is not independently set to None or Strict for cookies up to version 80, then Chrome will set it to Lax by default.Detailed information on Chromestatus.com:Cookies with SameSite by default

Change 2 – Reject insecure SameSite=None cookies

To increase security, there is another change. With this change, from Chrome version 80,Only cookies with SameSite=None and the secure flag set can be written to the browser.Cookies with SameSite=None without the secure flag will be rejected.The secure flag determines that a cookie is only sent over a secure HTTPS connection.Detailed information on Chromestatus.com:Reject insecure SameSite=None cookies

What is to be done now?

Change tracking and marketing tags

  • From Google(Google Analytics, Floodlight, Google Ads etc.)
    Google may implement changes to its cookies itself
  • From other providers (Facebook etc.)
    The responsibility here lies with the providers, if necessary, to adapt their cookies
    Nevertheless, you should confirm with your digital partners that they are implementing the necessary changes

Changes to your own website

Here the developers have to check the cookies set by the site itself and adjust them if necessary.Google provides the following checklist:

  • Cookies that are only read from the same domain → no change necessary
  • Cookies that are only read across domains → Set SameSite=None and Secure
  • Cookies that are read from the same domain and across domains → Set SameSite=None and Secure
    However, with a view to the long term, it is recommended to separate such cookies and implement cookies for reading on the same domain and cookies for cross-domain exchange.

Do you have questions about switching to the Chrome SameSite cookie change? Feel free to contact us!contact

e-dialog office Vienna
No two challenges are the same. Speak with our experts now to find your individual solution.

Any questions? Talk to us.

Get in touch now
Relevant content

More about Analytics

Analytics

Google AI Studio: From prompt to GTM tool in under 60 minutes

Read more
Analytics

Beyond Clicks: How GEO Strengthens Your Digital Identity and Becomes Visible in GA4

Read more
Analytics

How Native App Event Tagging Works in GTM

Read more
Analytics

Recover conversion data with Jentis Synthetic Users

Read more