Google has officially declared that the new version of Chrome, just released, introduces changes in the management of SameSite cookies that could compromise some features of the websites that use them. The change implies that only cookies set with the "SameSite = None; Secure" attribute will be accessible from third party contexts, and only if access will take place through secure connections.
The target was described by Google last month, i.e. gradually remove support for third-party cookies on Chrome. All in favor of greater privacy and greater control over their data, topics requested by an increasing number of users. In response, Google said the goal was to develop a new system that works for the entire online ecosystem, including for publishers.
The plan to force third-party cookies only over HTTPS was originally revealed in May 2019 to give IT administrators proper notice so they could update their websites in time for Chrome 80. The company then released a reminder last October, and in recent days has released a video explaining the news, and how web developers have to deal with it in order not to compromise the functionality of the sites.
The most obvious problems could be revealed in the log-in functions: to mitigate this type of problem Chrome has introduced a new feature that allows cookies without a specified SameSite attribute to be available for the type of POST request generally used for access flows. . Mitigation "Lax + POST", so called the modification, gives the cookie only two minutes to perform the intended function.
Google also warned that business administrators may need to implement special policies to bring Chrome back to legacy behavior if internal applications have not yet been updated to meet the new Chrome rules. The end user doesn't have to do anythingindeed, the change should strengthen security in browsing sessions.
