The latest release of Google Chrome 80 introduces a change to how cookies are handled. This is the first of many changes the company is making to improve privacy and security on the web. Here’s what you need to know about it.
First, as a reminder, cookies are a piece of data sent from a website to a user’s browser at the time of their visit. This data (and any gathered during future visits) is stored locally on the user’s machine.
Cookies are important because they can be used to enhance a user’s experience on your website. But they can also cause security issues. In introducing this change, Google seeks to provide safeguards around when cookies are sent across sites to protect users.
Starting today, Google has added default support for an IETF standard called SameSite, which means developers now must manage cookies with the SameSite attribute component in the Set-Cookie header. If you’re a developer, you’re now required to explicitly specify which cookies can work across websites.
There are three different values that are supported: Strict, Lax, and None.
If set to Strict, the cookie will only be able to be accessed from the domain that initially set it.
Setting the value to Lax will limit the cookie to only being sent on same-site and top-level navigation (this will also be the default value used if the SameSite property is not specified.)
Finally, if set to None, the cookie will work much the same way that cookies work today.
Here’s what this means for your website tests:
If you use Optimizely:
Great news! Your Optimizely cookies will not be impacted by this change. This is because Optimizely only reads cookies in first-party contexts. Read more here.
If you use Adobe Target:
Adobe recently authored a post with an in-depth overview of what Target users need to do to make sure the tool continues to work with Google Chrome 80. For simplicity’s sake, we’ve outlined the main points in the table below.
|If you are using mbox.js, at.js 1. x , or at.js 2. x on your sites.||If your users have “SameSite by default cookies” enabled||If your users have “Cookies without SameSite must be secure” enabled|
|mbox.js with first-party cookie only.||No Impact||No impact if you are not using cross-domain tracking.|
|mbox.js with cross-domain tracking enabled.||No Impact||You must enable the HTTPS protocol for your site.Target uses a third-party cookie to track users and Google requires third-party cookies to have SameSite = None and Secure flag. The Secure flag requires your sites must use the HTTPS protocol.|
|at.js 1. x with first-party cookie.||No Impact||No impact if you are not using cross-domain tracking.|
|at.js 1. x with cross-domain tracking enabled.||No Impact||You must enable the HTTPS protocol for your site.Target uses a third-party cookie to track users and Google requires third-party cookies to have SameSite = None and Secure flag. The Secure flag requires your sites must use the HTTPS protocol.|
|at.js 2. x||No Impact||No Impact|
Our optimization engineers work diligently to remain a step ahead of any major changes to the industry and are here to provide support. Should you have any questions, feel free to reach out to us on Twitter, Facebook or LinkedIn.