Conversation

Rich Felker
@RichFelker
Huh? The web has been working fine with 3rd party cookies entirely blocked for 2 decades. But never miss a chance to use a crisis as an excuse for rolling back enhanced privacy defaults... Never change, Google...
Quote Tweet
Justin Schuh
@justinschuh
We've temporarily reverted Chrome's SameSite rollout, and intend to pick it back up in the summer. It was a necessary decision given that COVID-19 has redefined how web services are meeting essential needs for so many people right now. blog.chromium.org/2020/04/tempor
2
16
Daniel Micay
@DanielMicay
Replying to
@RichFelker
SameSite cookies are a CSRF mitigation, not a privacy enhancement. SameSite=Strict stops cookies from being sent cross-origin and should be set for all cookies in newly developed code. SameSite=Lax still sends them for cross-origin GET requests for compatibility with legacy code.
Twitter Web App
Rich Felker
@RichFelker
Replying to
@DanielMicay
It seems like it's both. Disabling third party cookies is not a "hard" privacy protection, but it offloads the storage burden on the parties doing the tracking instead of letting them commandeer your browser to violate your privacy for them for free.
1
3
Daniel Micay
@DanielMicay
Replying to
@RichFelker
Browsers setting SameSite=Lax by default can be overridden with SameSite=None unless they're going to stop permitting that. SameSite=Lax still sends them for cross-origin navigation via a GET request so a quick redirect bounce through a third party still sends them the cookies.
1
Show replies
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@RichFelker
Changing the default to SameSite=Lax will mitigate most CSRF attacks by default. SameSite=None was standardized so that developers can opt-out of the changed default. The option to disable third party cookies is a much different thing. That only disallows them from being set.
2
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@RichFelker
If you disable third party cookies, existing cookies for a third party origin are still sent with requests to it. The only way that SameSite would improve privacy is if every cookie was forced to be SameSite=Strict and developers couldn't switch to SameSite=Lax or SameSite=None.
1
1
Show replies