How incrementally better cookie impacts to Web in practice
Motivation
Google announced that chrome browser will change default behavior of same-site attribute of cookie on Feb 2020. I am really curious how it impacts to real web site, If the change screw up entire web sites or not.
What’s incrementally better cookie?
It’s a proposal made by Google for having better cookie incrementally before replacing cookie like HTTP state token has been done to mitigate privacy issues. How it affect to cookie is
- Treat the lack of an explicit “SameSite” attribute as “SameSite=Lax”.
- Required “Secure” attribute to be set for any cookie which asserts “SameSite=None”.
So what do you mean? Before jumping to practical investigation, It would be better to make sure how Same-Site attribute works.
How Same-Site attribute works
same-site cookie attribute lets server disallow to have cross-site usage for specific cookie. So that provides some protection against cross-site request forgery attack (CSRF). Same-Site attribute can have one of three values.
None: The browser can send the cookie to both first-party and third-party.
Strict: The browser can only send the cookie to same-site. It means that cookie won’t be sent when the user navigates to the site by following a link.
Lax: Some cross-site usage is allowed.
Here is a table indicates what cookies are sent with cross-origin requests.
| request type | example code | cookies sent |
|---|---|---|
| link | <a href="…"> |
normal, None, Lax |
| prerender | <link rel="prerender" href="…"> |
normal, None, Lax |
| form get | <form method="get" action="…"> |
normal, None, Lax |
| form post | <form method="post" action="…"> |
normal, None |
| iframe | <iframe src="…"> |
normal, None |
| ajax | $.get('…') |
normal, None |
| image | <img src="…"> |
normal, None |
( Table shows if cookie is sent with cross-origin )
Normal equals to not specifying Same-Site attribute. Currently, Almost cookie usage is allowed with cross-origin without having Same-Site attribute. At the same time, It means changing SameSite as Lax by default limits almost usage except link, prerender and form get.
| request type | example code | cookies sent |
|---|---|---|
| link | <a href="…"> |
normal ( Lax ), None with Secure |
| prerender | <link rel="prerender" href="…"> |
normal ( Lax ), None with Secure |
| form get | <form method="get" action="…"> |
normal ( Lax ), None with Secure |
| form post | <form method="post" action="…"> |
None with Secure |
| iframe | <iframe src=""> |
None with Secure |
| ajax | $.get('…') |
None with Secure |
| image | <img src="…"> |
None with Secure |
( Table shows if cookie is sent with cross-origin when we have better cookie )
Ok, Previously normal ( not specifying Same-Site attribute ) can send cookie with cross-domain on any usage but it won’t work completely when having better-cookie. So can you imagine how it impacts to Web? Let’s jump to practical web with enabling Lax as default.
How to check incrementally better cookie?
Chrome is able to turn on Same-Site=Lax as default with experimental flag by following.
- Go to chrome://flags
- Enable below experiments
- SameSite by default cookies
- Enable removing SameSite=None cookies
- Cookies without SameSite must be secure
- Relaunch Chrome
Japanese top 10 site
See what’s happen with enabling flags. I have checked top 10 Japanese Web site on Alexa, Trolling issues related to authentication flow, displaying contents and console.log. Here is sites I checked.
- rakuten.co.jp
- yahoo.co.jp
- fc2.com
- nicovideo.jp
- ameblo.jp
- dmm.co.jp
- kakaku.com
- livedoor.jp
- line.me
- mercari.com
Fortunately, I did not find any site what does not work in critical functionality. However, Of course, I saw a lot of warnings on console.log which indicates that third-party cookies without Same-Site attribute are blocked. Ad network or A/B testing services cookies are blocked In most cases. Fair enough.
Conclusion
I hope your site will have no problem when Chrome enable SameSite cookie Lax as default. Also, We may have to revisit followings for your sites.
- Make sure your site works with experimental flags before encountering real issue.
- If it does not work, Probably you may need to consider site architecture.
- Ad networks or A/B testing could be gone, It won’t be working properly.
- Make sure serving Same-Site=None cookies via HTTPs if you have to use thrid-party scripts.