SameSite Cookie Changes Rolled Back Until Summer

The Chromium Project announced on Friday that it's delaying enforcement of SameSite cookie changes, and is temporarily rolling back those changes, because of the COVID-19 turmoil.

The new goal is to resume the SameSite changes sometime "over the summer," according to the announcement. The new plans apply to the stable releases of Chromium-based browsers (Chrome, Edge and Opera), but doesn't wholly apply to nonstable browser releases.

"Non-stable Chrome channels (e.g. Dev, Canary, and Beta) will continue with 50% enablement in Chrome 80 and later," the Chromium project clarified at its SameSite Updates page.

This SameSite change, which kicked off in February, attempts to avoid possible cross-site request forgery attempts using cookies. The Chromium project, following an Internet Engineering Task Force draft proposal, is aiming to enforce the "Lax" attribute when no SameSite value is declared in a site's header. If the SameSite attribute is declared as "None," then site owners have to add a Secure attribute, compelling cookie data to use the more secure HTTPS protocol.

This SameSite change is of note to Web site owners, as it affects how "third-party" cookies function. However, Microsoft also had warned back in January that various Microsoft applications could be affected by the SameSite behavioral change.

For instance, the SameSite change could affect ASP.NET Web sites and applications based on OpenID federation, including Microsoft Teams and SharePoint provider-hosted App Parts add-ins. Organizations using Windows Server 2016 and Windows Server 2019 will need certain January updates in place, as well.

The Chromium Project plans to provide further notice about its SameSite plans, which will get announced via the SameSite Updates page.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube