Chrome 80: Cookie Changes Come to Latest Google Browser Update

No topic is of greater relevance to the online advertising world as we enter this new decade than privacy, whether you’re a publisher, advertiser or technology provider.

A few weeks ago, we discussed Google’s plan to phase out third-party cookies in its popular Chrome web browser, a move Mediavine supports and is prepared for.

These efforts are part of a wide-ranging effort to improve privacy and security across the web that began early last year and will continue in the years to come.

In 2019, Chrome announced its plan for a secure-by-default model for cookies. This has come to fruition with the launch of Chrome 80 in February 2020.

Same-Site (First-Party) vs. Cross-Site (Third-Party) Cookies

So what are cookies anyway? If you’re at all familiar with advertising, third party widgets, embeds and other online features, they’ve become a fact of life.

As you browse the web, any or all of these external services may store cookies inside your browser and subsequently access them later on.

This allows for a variety of benefits, including personalized experiences for advertisements. It also, however, has raised ample privacy concerns of late.

Every cookie has a domain associated with it. If that domain does not match the website in the user’s address bar, it’s considered cross-site, or third-party.

On the flip side, when a cookie’s domain does match the website domain in the user’s address bar, this is considered same-site, or first-party.

These cookies are commonly used for purposes we take for granted, like keeping you logged into your website or remembering your preferences.

We’ve dramatically simplified the cross-site vs. same-site designation above, but it’s critical to Chrome 80’s new road map for handling cookies.

Chrome 80 and a New Model For Security

Previously, if a cookie was intended to be accessed in a first-party context, a developer could apply one of two attributes, SameSite=Lax or SameSite=Strict.

As you can probably imagine, the =Lax syntax meant that both first party and third parties could access that cookie. =Strict meant that only the first party could access that cookie.

If neither Lax nor Strict were defined, up until now, most browsers treated the cookie’s data as set to “Lax”. Having the ability to define the “Strict” attribute theoretically prevented external access, but it required work not everyone did (or did correctly), leaving countless same-site cookies exposed.

Conversely, the new Chrome secure-by-default model assumes all cookies should be protected from external access unless specifically noted otherwise.

Under the updated model, developers must use a new cookie setting, SameSite=None, to designate cookies for cross-site or third-party access.

Even if the “SameSite=None” attribute is present, an additional attribute must be used for cross-site cookies to only be accessed via HTTPS connections.

Defaulting on the side of security, Chrome 80 will treat cookies that have no declared SameSite value as SameSite=Lax cookies, going forward.

What Happens Next?

Those who manage cross-site or third-party cookies must now apply the SameSite=None; Secure setting to those cookies.

Implementation should be straightforward, though a number of issues may arise as a result, including but not limited to:

1. Not all languages and libraries support the “None” value yet, requiring the cookie header to be set directly;
2. Some browsers, including earlier versions of Chrome, might read the None value in unintended ways;
3. If you have cookies that are accessible in both a first- and third-party context, you may wish to use separate cookies for heightened security in a first-party context.

Please read Google’s Chromium blog post (link in fifth paragraph above) and this guide to SameSite cookies explained for more on this complex topic.

Chrome 80 and the Drive For a Better Web

The bottom line is that the newest version of Chrome offers immediate security benefits, along with greater transparency and user choice in the long run.

It may sound confusing, but making explicit declaration of cross-site cookies the new standard is just another step toward a safer, healthier ecosystem.

On Mediavine’s end, we’re making sure that all of our assets are loaded over HTTPS connections and cookies have the appropriate SameSite attribute.

Unfortunately, we work with dozens of partners in the programmatic advertising industry that must implement these changes independently of us.

As such, it’s a work in progress, though we’re working with our partners to bring their cookies into compliance as quickly and efficiently as possible.

Our attitude toward changes of this nature is always to embrace them. Greater security, transparency and trust among users cannot be a bad thing.

Moreover, we believe a more secure web will actually help the business model of ad-supported websites, improving user control while serving better ads.