Conversation

Huh? The web has been working fine with 3rd party cookies entirely blocked for 2 decades. But never miss a chance to use a crisis as an excuse for rolling back enhanced privacy defaults... Never change, Google...

Quote Tweet

Justin Schuh

@justinschuh

Apr 3, 2020

We've temporarily reverted Chrome's SameSite rollout, and intend to pick it back up in the summer. It was a necessary decision given that COVID-19 has redefined how web services are meeting essential needs for so many people right now. blog.chromium.org/2020/04/tempor

Replying to

SameSite cookies are a CSRF mitigation, not a privacy enhancement. SameSite=Strict stops cookies from being sent cross-origin and should be set for all cookies in newly developed code. SameSite=Lax still sends them for cross-origin GET requests for compatibility with legacy code.

Replying to

and

Changing the default to SameSite=Lax will mitigate most CSRF attacks by default. SameSite=None was standardized so that developers can opt-out of the changed default. The option to disable third party cookies is a much different thing. That only disallows them from being set.

Replying to

"SameSite=None was standardized so that developers can opt-out of the changed default." Wow. So Chrome *already* put a user-hostile backdoor in this feature.

Replying to

SameSite was created as a CSRF mitigation, not a privacy feature, and the changed default mitigates CSRF rather than improving privacy. That's what chromestatus.com/feature/508814 says about it. Privacy angle just seems to be that third party cookies have to start using SameSite=None.

Replying to

Third party cookies just shouldn't exist at all. It's shameful that any browser still supports them. Default should have been disabled 20 years ago, removed entirely (no option to enable) 10 years ago.

Replying to

The third party cookie toggle in web browsers for enabling/disabling them only applies to setting cookies, not sending existing ones, so the meaning of third party cookie has been watered down by browsers. The toggle has the same issue I mentioned with a forced SameSite=Lax.

Replying to

and

A site can bounce you through another with a quick redirect there and back, allowing it to set a first-party cookie. First party cookies are sent for cross-origin requests unless SameSite is enabled so it's sent from that point onwards without needing another redirect bounce.

4:47 PM · Apr 6, 2020Twitter Web App