What's this about?
In February 2020, the Chrome browser will be making some changes on how it handles cookies in cross-site requests. In this document we provide some technical details about these changes.
Actions on your side
Check whether your are impacted by these changes, in particular regarding any integrations you may have with Secutix, and that you are taking the required actions on your side.
More technical details
Starting with release 80 of Google Chrome in February 2020, the “SameSite” cookie attribute will default to “lax” (currently this defaults to “None” if not set). For cookies that do not currently use this setting, the change may impact when they are sent with cross-site requests.
If you are using cookies in your integration with Secutix, you need to ensure they satisfy the new default Chrome settings to ensure they continue to reach your application as expected.
How to test
- To test the effect of the new Chrome behavior on your site or cookies you manage, you can go to chrome://flags in Chrome 76+ and enable the “SameSite by default cookies” and “Cookies without SameSite must be secure” experiments. Restart the browser for the changes to take effect.
- Test your site with a focus on anything involving federated login flows, multiple domains, or cross-site embedded content.
- Finally, if you’re concerned about the readiness of vendors and others who provide services to your website, you can check for Developer Tools console warnings when a page contains cross-site cookies that are missing the required settings.
Further details about the Chrome switch can be found here: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
For official specifications of the cookie “SameSite” attribute see: https://tools.ietf.org/html/draft-west-first-party-cookies-07