Why you need to care about Google’s change to the SameSite cookie attribute
By Michael Furman, Tufin Security Architect.
Google recently decided to roll out a new Chrome update with a new cookie policy that makes their browser more secure. This update includes two important changes to cookies that specifically relate to the SameSite Cookie attribute. These changes are also going to be enforced by all other major browsers.
So what are these changes?
Previously:
- The SameSite Cookie attribute had two settings: Strict and Lax.
- There was no default setting.
After the policy change:
- The SameSite Cookie attribute has a third setting: None.
- The SameSite cookie attribute is now Lax by default — even if nothing is defined in the cookie.
This new policy will affect all web applications that use cookies. Yes, you heard me correctly, your web applications ARE affected by this change. If your web application sends requests to other applications (or is deployed on multiple hosts), these requests may stop working. Therefore, I strongly recommend testing related cases in your application to check which ones have been affected by Google’s new policy update.
These related cases include, for example, initial requests sent to external applications, such as:
- HTML frames that are opened via a link to another applications.
- Applications that are accessed via an AJAX request
After the change, the requests may not be authenticated because the cookies are no longer being sent, and the request will fail.
If you discover that any of your application functionalities have stopped working, the simplest solution is to change the SameSite attribute setting of an appropriate cookie to None. However, from a security perspective, I recommend converting your application to use Lax. The move might require some additional effort on your part, but the investment will more than pay off because it makes your application safe against CSRF attacks.
You can find more technical information on the SameSite Cookie attribute and Google’s recent policy change at my personal blog: https://ultimatesecurity.pro/post/same-site-cookie/
Michael.