Among the changes that the main browsers such as Safari and Firefox are making in the management of third-party cookies, Chrome also has important changes in its version 80, scheduled for February 2020.This post explains the context, the changes Chrome makes, and the implications of latest chinese mobile those changes. We will also see how to test if our site is prepared to manage them correctly.First and third party cookies
In general, we understand as first-party data those data that belong to us directly, without third party intervention. In the context of cookies, first-party cookies are those that are managed directly from the main domain of the site. That is, all cookies in which the main domain is the same as the site where we are.In contrast, third-party cookies are those that belong to other main domains of the site where we are.Changes to the cookie law in ChromeThird party cookies are useful to maintain global consistency in user navigation. For example, if we put a YouTube video on our site, the fact that the user is logged into YouTube, has seen the video before or has marked it to watch later, is managed with a third-party cookie. Without this cookie, the user must leave our site and go to YouTube to log in again.The problem is that there are many not-so-benign uses of these types of cookies. The best known is its use to track the user through all their browsing for profiling and online advertising purposes. But there are also much more serious potential security breachesThe management of third-party cookies in the main browsers
Legislative changes such as the GDPR and the awareness of the general public about the management of online privacy have caused great changes in how the main browsers such as Safari or Firefox manage these third-party cookies.
Safari started this crusade against online tracking in 2017 with its ITP (Intelligent Tracking Prevention), which already prevented the use of third-party cookies.gulf email list The ITP has evolved and we are already in 2.3, with which Apple also protects itself against certain use of first-party cookies and the use of other tactics such as local storageFirefox has taken a similar tactic, but less aggressive. Instead of blocking all cookies by default it uses a blacklisting method. Checks if the cookie belongs to a domain identified in the list of domains that execute advertising and tracking (list of disconnect.me )Chrome so far has opted for much less aggressive tactics. It does not block first or third party cookies by default, although it does offer that option to its users through its privacy management.The big change that comes in version 80 of Chrome is that the changes are active by default, without the user having to activate them explicitly.Managing cookies in Chrome 80
Chrome, from its version 80, will begin to force the safe use of the SameSite attribute for third-party applicationsThe SameSite attribute is not new, but it was not being used regularly until now. The SameSite attribute offers three value options: SameSite = Strict.- Purely first-party useSameSite = Lax.- Intermediate point that allows certain uses in third-party context. The use of the cookie is allowed in external domains when they come from a direct link, for example to keep a user logged in. But it does not allow the use of the cookie by other methods such as POSameSite = None.- Use of a standard third party.
The big difference in this Chrome update is that SameSite = None is forced to be declared as safe. That is, the following will be rejected:
Set-Cookie: promo = abc123; SameSite = None
And the following should be useSet-Cookie: promo = abc123; SameSite = None; Secure
In the first case, Chrome will reject the cookie and if SameSite is not declared it will manage the cookie as if it were SameSite = Lax, thereby blocking its use by third parties.How does this change affect me?
It is not necessary to worry about the management of Google cookies, but if we have cross-site functionalities with other cookies it is important to make sure that they comply with the standard. Otherwise we will find functionalities that will no longer be operational.Important difficulties to consider:Not all languages and libraries allow the None value today. In these cases, it must be declared directly in the cookie header. For more information you can consult the following Github repository .
Some older browsers are unable to handle the None attribute properly. List of incompatible browsers
How to test the effect on my site
It is highly recommended to check as soon as possible if this change is going to have a significant effect on our online propertieTo test on Chrome 76+ versionsGo to chrome: // flags and activate # same-site-by-default-cookies and # cookies-without-same-site-must-be-secure. Restart the browser.
Start the tests. It is especially important to check everything related to navigation flows that must maintain a login, changes between domains and cross-site content. It is also important to bear in mind that due to the limitation of 2 minutes of “Lax + POST” it is advisable to test any flow that entails POST with delays of less