In May, Chrome announced a secure-by-default model for cookies, enabled by a new cookie classification system.
Chrome plans to implement the new model with Chrome 80 in February 2020. Mozilla and Microsoft have also indicated an intent to implement the new model in Firefox and Edge, on their own timelines.
What does it mean?
Today, if a cookie is only intended to be accessed in a first-party context, the developer has the option to apply one of two settings (SameSite=Lax or SameSite=Strict) to prevent external access. However, very few developers follow this recommended practice, leaving a large number of same-site cookies needlessly exposed to threats.
Google Chrome 80 introduces a new default cookie attribute setting of SameSite=Lax. Previously, the SameSite cookie attribute defaulted to SameSite=None. Developers must use a new cookie setting, SameSite=None, to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections.
This won’t mitigate all risks associated with cross-site access but it will provide protection against network attacks.