Cookies in Chrome and Safari

You probably heard about Facebook - Cambridge Analytica scandal. You must hear about the GDPR in the EU. Moreover, there are probably more. Privacy and security on the web become a big deal to many consumers, so IT giants like Apple or Google take their effort by introducing privacy and security measures in their browsers by limiting the usage of cookies.

cookies

Cookies SameSite attribute

Google recently announced that starting with Chrome 76, planned for a July 30, 2019 release, web developers need to specify which cookies can work across websites explicitly. That is just a preview that users might want to enable, but starting from Chrome 80 it’s going to be a default.

We all know five cookie attributes: path, domain, expire, httpOnly, secure. The new policy starts enforcing a new attribute: SameSite.

According to the Mozilla docs, the new attribute:

Allows servers to assert that a cookie ought not to be sent along with cross-site requests, which provides some protection against cross-site request forgery attacks (CSRF).

The idea is to have a single attribute for cookies, which tells the web browser whether or not it should submit the cookie in a request from a different website. SameSite is another level of security that you might introduce to your website among others like CSRF tokens. You should consider starting using it to benefit better security.

Let me give you a simple example. A sample JS on your example.com website can drop such a cookie as follows:

<script>
    document.cookie = "foo=bar;SameSite=Strict;path=/";
</script>

The above code would cause the browser to create a cookie foo=bar with SameSite set to Strict. The cookie then could not be utilized in any cross-domain attack on the site that set it.

The attribute supports other values, relaxing the policy a little bit. See an article explains the new attribute in details. Additionally, very usefull post with sample website when you can test how such cookies behave in Chrome but also on other browsers.

I mentioned Chrome, but other browsers support it too. You can find the support level on caniuse.com.

An interesting reading about how Adobe’s Target implementation deals with latest Chrome update.

Intelligent Tracking Prevention

cookies

New cookie policy in Chrome is just nothing that Apple implemented for Safari browsers both for macOS and iOS.

Apple has long included features to reduce tracking. First, it defaulted to block all third-party cookies. Then they started to build Intelligent Tracking Prevention (ITP) that reduces cross-site tracking by limiting cookies and other data. Additionally, Apple gradually increases prevention from tracking by limiting of storage period (7 days or even 24h) for first-party cookies created via document API. Server-side cookies are not affected.

See how Intelligent Tracking Prevention gradually increases the visitor privacy in ITP 2.0, ITP 2.1 and ITP 2.2.

What does it mean for us, developers?

If you’re using first-party client-side cookies to store information about the user, consider leveraging local storage or migrating to server-side cookies (via Set-Cookie response header) instead. There is a great research made by Simo Ahava about all possible solutions that mitigate ITP restrictions that’s worth to explore.

If your solution uses 3rd-party cookies, you need to figure out a solution based on first-party cookies. Adobe’s marketing technology solutions (Visitor ID, Target, or Analytics) heavily relied on 3rd-party cookies or client-side cookies. See hew Adobe mitigates ITP impact for Adobe Experience Cloud solutions or Adobe Target.

Verify, if tracking tag used on the website uses 3rd-party cookies, if yes then in the worst case it stops working on Safari. Check with the vendor if they provide mitigations.

Single Sign-on solutions relying on 3rd party cookies might be affected. Check with the vendor, if ITP remediations are implemented/provided.

Stay tuned with WebKit blog about privacy, to see what’s next coming up in this area.