Conversation

Huh? The web has been working fine with 3rd party cookies entirely blocked for 2 decades. But never miss a chance to use a crisis as an excuse for rolling back enhanced privacy defaults... Never change, Google...

Quote Tweet

Justin Schuh

@justinschuh

Apr 3, 2020

We've temporarily reverted Chrome's SameSite rollout, and intend to pick it back up in the summer. It was a necessary decision given that COVID-19 has redefined how web services are meeting essential needs for so many people right now. blog.chromium.org/2020/04/tempor

Replying to

SameSite cookies are a CSRF mitigation, not a privacy enhancement. SameSite=Strict stops cookies from being sent cross-origin and should be set for all cookies in newly developed code. SameSite=Lax still sends them for cross-origin GET requests for compatibility with legacy code.

Replying to

It seems like it's both. Disabling third party cookies is not a "hard" privacy protection, but it offloads the storage burden on the parties doing the tracking instead of letting them commandeer your browser to violate your privacy for them for free.

Daniel Micay

@DanielMicay

Replying to

@RichFelker

Browsers setting SameSite=Lax by default can be overridden with SameSite=None unless they're going to stop permitting that. SameSite=Lax still sends them for cross-origin navigation via a GET request so a quick redirect bounce through a third party still sends them the cookies.

4:30 PM · Apr 6, 2020Twitter Web App

Replying to

and

Forcing SameSite=Strict would be a major privacy improvement far more powerful than disabling third party cookies. Forcing SameSite=Lax/Strict would be a privacy improvement but with that already widely used redirect bypass. However, they aren't forcing it just changing default.

Replying to

Sounds like SameSite=Strict is a more-breaking, less-useful version of first party isolation.

Show replies