Technical blog

Google Chrome 80, Cookies, and HTTPS

  • Maxime
  • 06 Jan, 2020

Forecast for 2020 …

Google Chrome 80 will make a change in the cookie management policy (for an improved security overall). This will as well concern other browsers (Edge, Firefox) in the near future.

The change serves to limit the spread of cookies (mainly from authenticated sessions) through non-secure third-party sites that would like to use these cookies for malicious purposes. This will as well impact legitimate use of cookies to integrate two disctinct websites, with one integrating the other as an Iframe.

Consequently, if you have a personalized integration with ARender which is based between your interface & ARender by an authenticated cookie to use your services, check the following information carefully:

  • If your cookies do not specify the SameSite property, Google Chrome 80 will automatically place them in SameSite = Lax, this will only allow Get requests from other sites to use these cookies (typically from ARender to your custom integration).
  • Requests will have to be made in HTTPS to re-use these cookies as the parameter « Without SameSite must be secure » will be set up automatically.

You can as well refer to the Chromium project which indicates the deployment of this configuration: https://www.chromium.org/updates/same-site