How incrementally better cookie impacts to Web in practice

Motivation

Google announced that chrome browser will change default behavior of same-site attribute of cookie on Feb 2020. I am really curious how it impacts to real web site, If the change screw up entire web sites or not.

It's a proposal made by Google for having better cookie incrementally before replacing cookie like HTTP state token has been done to mitigate privacy issues.
How it affect to cookie is

  1. Treat the lack of an explicit "SameSite" attribute as "SameSite=Lax".
  2. Required "Secure" attribute to be set for any cookie which asserts "SameSite=None".

So what do you mean?
Before jumping to practical investigation, It would be better to make sure how Same-Site attribute works.

How Same-Site attribute works

same-site cookie attribute lets server disallow to have cross-site usage for specific cookie.
So that provides some protection against cross-site request forgery attack (CSRF).
Same-Site attribute can have one of three values.

None: The browser can send the cookie to both first-party and third-party.

Strict: The browser can only send the cookie to same-site. It means that cookie won’t be sent when the user navigates to the site by following a link.

Lax: Some cross-site usage is allowed.

Here is a table indicates what cookies are sent with cross-origin requests.

request type example code cookies sent
link <a href="…"> normal, None, Lax
prerender <link rel="prerender" href="…"> normal, None, Lax
form get <form method="get" action="…"> normal, None, Lax
form post <form method="post" action="…"> normal, None
iframe <iframe src="…"> normal, None
ajax $.get('…') normal, None
image <img src="…"> normal, None

( Table shows if cookie is sent with cross-origin )

Normal equals to not specifying Same-Site attribute. Currently, Almost cookie usage is allowed with cross-origin without having Same-Site attribute.
At the same time, It means changing SameSite as Lax by default limits almost usage except link, prerender and form get.

request type example code cookies sent
link <a href="…"> normal ( Lax ), None with Secure
prerender <link rel="prerender" href="…"> normal ( Lax ), None with Secure
form get <form method="get" action="…"> normal ( Lax ), None with Secure
form post <form method="post" action="…"> None with Secure
iframe <iframe src=""> None with Secure
ajax $.get('…') None with Secure
image <img src="…"> None with Secure

( Table shows if cookie is sent with cross-origin when we have better cookie )

Ok, Previously normal ( not specifying Same-Site attribute ) can send cookie with cross-domain on any usage but it won’t work completely when having better-cookie.
So can you imagine how it impacts to Web?
Let’s jump to practical web with enabling Lax as default.

Chrome is able to turn on Same-Site=Lax as default with experimental flag by following.

  1. Go to chrome://flags
  2. Enable below experiments
    • SameSite by default cookies
    • Enable removing SameSite=None cookies
    • Cookies without SameSite must be secure
  3. Relaunch Chrome

How to enable Same-Site=Lax on Chrome

Japanese top 10 site

See what’s happen with enabling flags.
I have checked top 10 Japanese Web site on Alexa, Trolling issues related to authentication flow, displaying contents and console.log.
Here is sites I checked.

  1. rakuten.co.jp
  2. yahoo.co.jp
  3. fc2.com
  4. nicovideo.jp
  5. ameblo.jp
  6. dmm.co.jp
  7. kakaku.com
  8. livedoor.jp
  9. line.me
  10. mercari.com

Fortunately, I did not find any site what does not work in critical functionality.
However, Of course, I saw a lot of warnings on console.log which indicates that third-party cookies without Same-Site attribute are blocked.
Ad network or A/B testing services cookies are blocked In most cases. Fair enough.

Conclusion

I hope your site will have no problem when Chrome enable SameSite cookie Lax as default.
Also, We may have to revisit followings for your sites.

  1. Make sure your site works with experimental flags before encountering real issue.
  2. If it does not work, Probably you may need to consider site architecture.
  3. Ad networks or A/B testing could be gone, It won’t be working properly.
  4. Make sure serving Same-Site=None cookies via HTTPs if you have to use thrid-party scripts.

References