As of now, Chrome sets the default value of SameSite cookie to None that allows the first-party as well as third-party websites to set and access cookies in the user’s browser and to track them as they surf different sites.
Unfortunately, many developers and website owners haven’t actively adopted the SameSite cookie values – Lax and Strict. Moreover, the default setting of SameSite cookie to None makes the website vulnerable to CSRF (Cross-site Request Forgery).
Hence, to encourage the web community and make internet surfing secure, Chrome is introducing the following changes to its v80 update:
- Enforce Lax as the default value of the SameSite cookie. That means, if you manually don’t set the value for the SameSite cookies, it will be automatically set to Lax by default.
- If you have defined a SameSite cookie with None value, then the cookie must also have “Secure” to ensure that the browser request is sent by a secure (HTTPS) connection. SameSite cookies that do not adhere to that mentioned requirement will not be accepted. Here’s an example of a SameSite cookie with Secure and None value:
Example: Set-cookie: demo_view = xyz356; SameSite = None; Secure.
Case #1: If you are working with an advertiser or a platform (think, Facebook) directly, they are likely to cookie your users and have pixels on your pages.
What should you do: In such a case, you must ask them to update the SameSite attribute to “None” in order to send cookies via first-party as well as third-party requests from your website.
Case #2: Monetizing the website with a third-party programmatic partner.
What should you do: Here, you need to talk to the representatives and ensure that they have updated their cookies. If not done, the contribution of ad revenue via Chrome v80 might decline.
Learn more about implementation here.