- Update: Chrome releases a analysis to the expected impact
- Update: Chrome delays the SameSite change to Feb 17th.
February is coming and with it the winds of change shall blow across the Internet. A new version of Chrome shall land, and in the days that follow chaos shall engulf those who do not stand ready. So it is that I shall sound the last warning bell – that those whom have remained unaware may brace themselves for the changes to come.
Let us track the storm bearing down on us and see how it formed as we make ready. Perhaps you remember hearing of the sameSite cookie change announced last May? With this announcement Google has signaled a change to how Chrome will process 3rd party cookies – only passing them if the correct attributes are enabled on the cookie in question.
This is a important change, for Chrome holds 63% of the global market share (based on Statcounter Data) and the release of version 80 (Feb 17th) the changes previously announced will go into effect, breaking any feature that relies on 3rd party cookies being shared cross-domain unless the proper protections are taken. They’ve released an analysis on that which can be reviewed here.
For those that are interested Auth0.com has a very good technical writeup on this.
So in a ideal world – one simply works with the vendors/developers to ensure the proper attributes are on the affected cookies and proceeds to live happily ever after. Alas, ’tis not to be so easy – for in fixing it for browsers going forward, you also break it for various browsers of yesteryear as this is a breaking change with the previous standard of cookie handling.
Google has released a list of the impact on these older browsers, and if they remain a sizable part of your browser mix, you may need to consider conditional logic as identified on the above link to ensure that your cookies work on all the browsers that may encounter them.
If your site uses any of the following – you are running out of time to ensure that Chrome will continue to work as expected following the pending update:
- Single Sign-On over multiple domains
- Retargeting
- 3rd Party APIs that require cookie state
Note: The above list is not complete and other cases may exist which are impacted.
You should also be aware that several other browsers have announced plans to deploy this change. Microsoft’s Edge has it on their roadmap, and Firefox currently has it built behind a developer flag. Safari hasn’t yet pledged to adopt the change, but has stated they will be watching the impact of the change and base a decision upon that. At least for the short term, this will be the new standard most of the web uses for handling 3rd party cookies.
The reason I say short term, is the other change Google has announced.
On January 14th 2020 Google announced their plan to kill 3rd party cookies inside of 2 years. This means any functionality that relies on that tech must be replaced, or will cease working in upcoming releases of the browser.
So how do we adapt? We don’t know yet. Google hasn’t given specifics on what, if anything they will release to mimic or replace that functionality. What we do know is Retargeting, Targeted Ad placement, Cross Domain Single Sign On and related features will need to be updated or will cease working as they do today.
The only thing we can do in the mean time is monitor the Chrome Blog, follow their work on their Privacy Sandbox, and take part in the discussions on the Web Advertising Group to try to work out the best solution for all involved.