Conversation

Huh? The web has been working fine with 3rd party cookies entirely blocked for 2 decades. But never miss a chance to use a crisis as an excuse for rolling back enhanced privacy defaults... Never change, Google...

Quote Tweet

Justin Schuh

@justinschuh

Apr 3, 2020

We've temporarily reverted Chrome's SameSite rollout, and intend to pick it back up in the summer. It was a necessary decision given that COVID-19 has redefined how web services are meeting essential needs for so many people right now. blog.chromium.org/2020/04/tempor

Replying to

SameSite cookies are a CSRF mitigation, not a privacy enhancement. SameSite=Strict stops cookies from being sent cross-origin and should be set for all cookies in newly developed code. SameSite=Lax still sends them for cross-origin GET requests for compatibility with legacy code.

Replying to

and

Changing the default to SameSite=Lax will mitigate most CSRF attacks by default. SameSite=None was standardized so that developers can opt-out of the changed default. The option to disable third party cookies is a much different thing. That only disallows them from being set.

4:18 PM · Apr 6, 2020Twitter Web App

Replying to

and

If you disable third party cookies, existing cookies for a third party origin are still sent with requests to it. The only way that SameSite would improve privacy is if every cookie was forced to be SameSite=Strict and developers couldn't switch to SameSite=Lax or SameSite=None.

Replying to

and

SameSite=Strict breaks sites that weren't designed around having static web pages with dynamic content requested via APIs. It means that when you navigate to a site with a link from another origin, the cookies aren't sent via that GET request. It will break legacy login systems.

Replying to

"SameSite=None was standardized so that developers can opt-out of the changed default." Wow. So Chrome *already* put a user-hostile backdoor in this feature.

Replying to

SameSite was created as a CSRF mitigation, not a privacy feature, and the changed default mitigates CSRF rather than improving privacy. That's what chromestatus.com/feature/508814 says about it. Privacy angle just seems to be that third party cookies have to start using SameSite=None.

Show replies