It’s been rumored for quite some time that Google might block third-party cookies. This is due to the fact that Chrome is the only browser without the option to do so. Amidst all these rumors, Google is testing a couple of stuff to improve security. The pieces in question are two Chrome flags. While these flags will make cookies secure for everyone, there are a few negative aspects as well.
For people unaware, cookies, in simple words, help your browser remember login credentials and other nuances. While it is very convenient, it can be exploited in a number of ways. For instance a website could take advantage of your saved credentials for another site. To prevent this, cookies were tagged by the developers to make them secure for the users. However, given the fact that this was an optional security measure relying solely on the developer’s choice, it was still not that efficient. Google aims to change things with these two new flags.
As 9to5Google reports, the two new flags in Google Chrome will ensure that ALL cookies are equipped with those security tags by default. The tags in question are the Secure and SameSite tags. Tagging a cookie with Secure ensured that it was used when making an HTTPS connection. Similarly, SameSite has two types, ie, Lax and Strict. While Strict completely blocks a cookie from being used when connecting from one website to another, Lax blocks cookies when connecting from one website to certain secure aspects of the other. The two new flags aim to implement Secure and SameSite tags in all cookies.
Firstly, we have the #same-site-by-default-cookies flag. This flag makes all cookies without a SameSite tag Lax by default. That is, they behave as if they were tagged with SameSite “Lax”. Secondly, we have the #cookies-without-same-site-must-be-secure flag. Enabling this flag will tag all cookies devoid of SameSite as Secure as well. This would add some substantial level of security. However, this flag might create a number of troubles. This is due to the fact that a number of websites haven’t made the switch to HTTPS yet.
The aforementioned flags have already made their way into Chrome Canary. 9to5Google speculates that it’ll not be reaching the end user until Chrome 76, at the earliest. The flags will definitely go through a lot of testing by the developers, considering they might affect websites significantly when enabled. Given the fact this is still in an experimental phase, there is ample possibility that it might not even make its debut in the stable, normal version of Chrome.