Google ChromeTM 80 Introducing Secure-by-Default Model for Cookies
February 2020
To all customers,
What's Happening?:
There is a new high-profile security update being introduced with Chrome 80. The introduction of the SameSite attribute (defined in RFC6265bis) allows you to declare if your cookie should be restricted to a first-party or same-site context. The site is the combination of the domain suffix and the part of the domain just before it. For example, the "www.web.dev" domain is part of the "web.dev" site.
To safeguard more websites and their users, the new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Beyond the immediate security benefits, the explicit declaration of cross-site cookies enables greater transparency and user choice.
Who's Affected?:
Developers must use a new cookie setting, SameSite=None, to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections.
Action Required:
Enterprise IT administrators may need to implement special policies to temporarily revert Chrome Browser to legacy behavior if some services such as single sign-on or internal applications are not ready for the February launch.
If you have cookies that you access in both a first and third-party context, you might consider using separate cookies to get the security benefits of SameSite=Lax in the first-party context.
If you manage cookies that are only accessed in a same-site context (same-site cookies) there is no required action on your part; Chrome will automatically prevent those cookies from being accessed by external entities, even if the SameSite attribute is missing or no value is set. However we strongly recommend you apply an appropriate SameSite value (Lax or Strict) and not rely on default browser behavior since not all browsers protect same-site cookies by default.
Placeholders
Based on the information from this advisory, we have determined that none of our products should be affected due to the actual nature of the update. However, Identity Automation has proactively validated Chrome 80 on our appliances, and found that none are directly affected.
If you have any further questions about this notification, please contact us at support@idauto.net.