Chrome Samesite change – fixing problems accessing some sites
Google is deploying a new security feature (“Samesite”) to Chrome versions 80 and above, starting February 17th 2020. This feature will be rolled out gradually.
What is the impact?
You may or may not experience problems accessing certain sites that connect to external sites. You may have a different experience from computer to computer for a while, since Google is not updating every computer at the same time.
If you are experiencing problems when you log into one site and it directs you to another company or organization’s website, you might be impacted. Some sites may simply fail to work properly because they are doing this in the background and you would not know.
What should I do?
If you are experiencing problems, you can try changing a setting in Chrome.
Alternatively, you can use a different browser, such as Firefox.
How do I change the setting?
- In your Chrome browser address bar, enter chrome://flags
- In the search box, enter samesite
- Set the “SameSite by default cookies” option to disabled
- Set the “Cookies without SameSite must be secure” option to disabled
- Relaunch the browser
Will this impact my security?
Yes. The Samesite setting is intended to make browsing more secure, and is important.
However, it is not currently considered a critical update. Google is providing a way to opt out, which will be available at least until February 2021. This is because many websites have not yet updated their code and may break, so Google is allowing some time for the market to catch up. Our view is that if it doesn’t impact your use of the web, leave the default settings in place. However, if you are having trouble with sites not working for you, then it’s OK to use this workaround.
What about other browsers such as Firefox and Edge?
Other browsers are planning to implement Samesite. Firefox and Edge are anticipated to implement this after watching how things go for Chrome users for a little while.
What does Samesite do?
Samesite restricts the ability of third party cookies to track users across websites, which protects against data leakage and provides some privacy. The new setting protects against some malicious behavior, such as cross-site request forgery attacks, in which the bad actors trick users into clicking links that take advantage of these kinds of cookies to access other applications, such as the user’s bank site.