Google rolls back SameSite cookie changes to keep essential online services from breaking
Google today announced that it will temporarily roll back the changes it recently made to how its Chrome browser handles cookies in order to ensure that sites that perform essential services like banking, online grocery, government services and healthcare won't become inaccessible to Chrome users during the current COVID-19 pandemic.
The new SameSite rules, which the company started rolling out to a growing number of Chrome users in recent months, are meant to make it harder for sites to access cookies from third-party sites and hence track a user's online activity. These new rules are also meant to prevent cross-site request forgery attacks.
Under Google's new guidance, developers must explicitly allow their cookies to be read by third-party sites, otherwise, the browser will prevent these third-party sites from accessing them.
Because this is a pretty major change, Google gave developers quite a bit of time to adapt their applications to it. Still, not every site is ready yet, so the Chrome team decided to halt the gradual rollout and stop enforcing these new rules for the time being.
"While most of the web ecosystem was prepared for this change, we want to ensure stability for websites providing essential services including banking, online groceries, government services and healthcare that facilitate our daily life during this time," writes Google Chrome engineering director Justin Schuh. "As we roll back enforcement, organizations, users and sites should see no disruption."
A Google spokesperson also told us that the team saw some breakage in sites "that would not normally be considered essential, but with COVID-19 having become more important, we made this decision in an effort to ensure stability during this time."
The company says it plans to resume its SameSite enforcement over the summer, though the exact timing isn't yet clear.
Google wants to phase out support for third-party cookies in Chrome within two years