SameSite Cookie Behavior for Chrome, FireFox, and Edge: What this means for Web Developers
February 13, 2020
Google Chrome is continuously working to improve browser security, and their development team is implementing some sweet improvements beginning in February 2020. SameSite Cookie policies will become the default for browsers starting with Chrome 80. Putting these policies in place sets up a defense against cross-site request forgery attacks, and means web developers will determine which cookies can work across websites protecting them by default which will increase privacy and security. SameSite cookie policies also allow the user to have the option to manage first-party and third-party cookies independently.
What are First-party and Third-party cookies?
Cookies are pieces of data that websites store on a user’s computer usually via text file that tells specific information about the user. This allows websites to remember useful data about the user for when they return to the website such as a user’s login information. Cookies are also used to track website pages that users visit and is useful in serving advertisements based on that information tracked. There are different types of cookies such as first party and third party.
First- party cookies are the ones that get stored on the website page a user visits and tracks the user’s activity. Third-party cookies are those that are stored by a website other than the one the user is currently viewing. These third-party cookies are the advertisements that pop up from another site while a user is on a different website.
What this change actually entails:
Third-party cookies will now be handled differently through the newer secure-by-default application within browsers. Secure-by-default allows only the least amount of trust (none) to be introduced to parties upon first contact. Specific permission settings are now required for third-party information before the cookie data is sent to the website.
When the SameSite cookie policies are enabled this means the third-party cookies will now be required to be transmitted over https:// connections. If this is not done the third-party cookie will be restricted to the secure-by-default model where it will need to be a secure designation or it will be rejected. The rejected request will convert to SameSite=Lax and will not be sent in as third–party context.
Setting guide for SameSite Cookies:
There are three different settings for the SameSite cookie policies. Strict, None, and Lax.
For first-party cookies that typically don’t need to retrieve values from third-party context, set the SameSite value to strict.
Use the SameSite Lax value setting when the cookie is only being sent on same-site requests or top-level navigation with a safe HTTP method. The Lax setting will not send the cookie with cross-domain requests.
The most common setting is the SameSite None. This allows access to third-party contexts as long as it is done over the secure https:// connections. Use this setting for most cases, and it is best suited for cross-site cookies such as widgets on a website.
For all of your web development needs contact us for our expert services!