Google I/O Google, the largest handler of web cookies, plans to change the way its Chrome browser deals with the tokens, ostensibly to promote greater privacy, following similar steps taken by rival browser makers Apple, Brave, and Mozilla.
At Google I/O 2019 on Tuesday, Google's web platform director Ben Galbraith announced the plan, which has begun to appear as a hidden opt-in feature in Chrome Canary – a version of Chrome for developer testing – and is expected to evolve over the coming months.
When a website creates a cookie on a visitor's device for its own domain, it's called a first-party cookie. Websites may also send responses to visitor page requests that refer to resources on a third-party domain, like a one-pixel tracking image hosted by an advertising site. By attempting to load that invisible image, the visitor enables the ad site to set a third-party cookie, if the user's browser allows it.
Third-party cookies can have legitimate uses. They can help maintain states across sessions. For example, they can provide a way to view an embedded YouTube video (the third party in someone else's website) without forcing a site visitor already logged into YouTube to navigate to YouTube, login and return.
But they can also be abused, which is why browser makers have implemented countermeasures. Apple uses WebKit's Intelligent Tracking Protection for example to limit third-party cookies. Brave and Firefox block third party requests and cookies by default.
Now finally Google has decided to do something.
Welcome to the new class system
"Moving forward Chrome will make all cookies limited to first party contexts by default, and will require developers to explicitly mark a cookie as needing third-party visibility, which creates a clear distinction between first party and third party cookies and enhances web safety," said Galbraith.
As part of this change, developers will be required to explicitly mark cookies to make them accessible by third parties. This is done using the
SameSite attribute (defined by RFC6265bis), which provides three options:
Strict, as its name suggests, means cookies will only be sent in a first-party context, which is when they correspond with the domain displayed in the browser address bar.
Lax prevents third-party cookies on pages with off-site assets, like an externally hosted image; but it allows them if the user clicks a link that leads to the third-party site.
Chrome 76, scheduled for release in July, is introducing
same-site-by-default-cookies flag that will change the default behavior of the
Set-Cookie response header, when no value is supplied, to set
When this flag is set in Chrome, cookies without the
SameSite attribute – from most websites probably since the
SameSite attribute is fairly recent – will be treated as if they were
And soon, Google "will also require that third-party cookies be only served over https connections, which further enhances web security," said Galbraith, who explained in a blog post that the change will protect cookies from cross-site injection and data disclosure attacks like Cross-Site Request Forgery and Spectre.
Google also intends to work on ways to reduce browser fingerprinting, a method of tracking that looks at installed extensions and other browser and system characteristics to build unique technical profile that serves as an identifier for tracking.
If Google succeeds, it will still be able to track most people, by virtue of Chrome's dominance. But competitors will suffer.
A Brave spokesperson told The Register via email that Chrome’s new proposed default policy for cookies has some security benefits: “However, since sites can opt out of
SameSite=Lax, it would be fairly easy for trackers to evade this, so Chrome users would still be subjected to tracking and privacy infringements.”
Google power grab
Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, told The Register that while Google's cookie changes will benefit consumer privacy, they'll be devastating for the rest of the ad tech business.
"It's really great for Google's own bottom line because all their users are logged in to various Google services anyway, and Google has consent/permission to advertise and personalize ads with the data," he said.
In a phone interview with The Register, Johnny Ryan, chief policy and industry relations officer at browser maker Brave, expressed disbelief that Google makes it sound as if it's opposed to tracking.
"Google isn't just the biggest tracker, it's the biggest workaround actor of tracking prevention yet," he said, pointing to the company's efforts to bypass tracking protection in Apple's Safari browser.
One step forward and one step back for Apple's privacy campaign with latest Safari buildREAD MORE
In 2012, Google agreed to pay $22.5m to settle Federal Trade Commission charges that it "placed advertising tracking cookies on consumers' computers, in many cases by circumventing the Safari browser’s default cookie-blocking setting."
Ryan explained that last year Google implemented a forced login system that automatically allows Chrome into the user's Google account whenever the user signs into a single Google application like Gmail.
"When the browser knows everything you're doing, you don't need to track anything else," he said. "If you're signed into Chrome, everything goes to Google."
But other ad companies will know less, which will make them less competitive. "In real-time ad bidding, where Google's DoubleClick is already by far the biggest player, Google will have a huge advantage because the Google cookie, the only cookie across websites, will have so much more valuable bid responses from advertisers."
The World Wide Web, he said, may become the Google Walled Web. ®