back to article Google warns devs as it tightens Chrome cookie security: Stuff will break if you're not clued up

Google is asking developers to get ready for more secure cookie settings to be implemented in Chrome 80 that is planned for release in February 2020. The announced changes relate to the SameSite cookie attribute. First specified in July 2016, the SameSite attribute is set by the developer when the cookie is planted, and can be …

  1. tiggity Silver badge

    Err...

    "This is still challenging, though, since not all cross-site cookies are harmful."

    Maybe not, but plenty are.

    Just like cross site scripts, if potential to abuse exists, then someone will abuse it.

    But as article points out, Google have vested interests with all their analytics, ads etc so will never be keen on properly sanitised websites / real fine grained user control as they will lose a lot of precious data

  2. This post has been deleted by a moderator

    1. Anonymous Coward
      Anonymous Coward

      Re: Block all Third-Party cookies

      A safer place, but not an actual safe place.

    2. iron Silver badge

      Re: Block all Third-Party cookies

      I've been blocking all 3rd-party cookies for something like 25 years with few problems until recently. Lately embedded videos fail to load on some sites and occasionally login systems don't work but if a site doesn't meet my cookie requirements I just don't use it.

  3. GnuTzu Silver badge

    Finger Printing and The DMCA

    My usual rant. If corporations can have a law that prevents circumvention of the what they do to protect their data (DMCA), then why can't we have one to prevent circumvention of tracking and privacy tools/controls that we use to protect our data?

    That's as simply as I can put it. Usually my rants are longer and... urg... urg... holding back the rage... holding back the rage. It's just so, so sick the way things work. {sigh}

    1. really_adf

      Re: Finger Printing and The DMCA

      If corporations can have a law that prevents circumvention of the what they do to protect their data (DMCA), then why can't we have one to prevent circumvention of tracking and privacy tools/controls that we use to protect our data?

      That's a very clear way to put it, and I can't see a reasonable argument against it. Have an upvote.

    2. Charlie Clark Silver badge

      Re: Finger Printing and The DMCA

      In Germany the issue has been to court and decided in the users' favour. And GDPR does more of the same. But we won't see a significant change in behaviour until we see some stiffer fines handed out.

      Google's argument about "fingerprinting" doesn't wash: such practices are a clear breach of data privacy legislation.

    3. TheVogon Silver badge

      Re: Finger Printing and The DMCA

      We already do. It's called GDPR.

    4. GnuTzu Silver badge
      Mushroom

      Re: Finger Printing and The DMCA

      Replying to my own post... I'm so fed up...

      I happen to know a web proxy administrator, and I happen to know that utm parameters and Google headers can be stripped at the proxy (not to mention just blocking Google tracking URL's outright). Imagine doing that for a really large organization. Might get a few user complaints because it broke Google, but... Hey, use DuckDuckGo (etc., yes, there are other search engines that respect privacy).

      Yet, the thing that really ticks me off is that utm parameters are added by a massive number web sites. That's right, the majority of the Internet is conspiring with Google for SEO purposes... just like every business seems obligated to have a FaceBook page.

      Now to see if I can get this proposed as a security control, though it's probably a pipe dream.

      Oh, there's where the rest of that rant went. I'm so happy to see the rage return.

      1. JohnFen Silver badge

        Re: Finger Printing and The DMCA

        "I'm so fed up"

        You're not the only one. Personally, I'm fed up and furious about all of this, and I suspect that I will eventually reach a point where I simply stop using the web entirely.

        1. GnuTzu Silver badge
          Thumb Up

          Re: Finger Printing and The DMCA

          Before it comes to that, perhaps one of the privacy respecting search engines, like DuckDuckGo, might also start rating the degree to which a site in the search results respects privacy, say on a scale of 1 to 5. And, it would allow you to filter results to only include scores that you're willing to tolerate--as well as show the scores in the search results.

          Of course, as long as Google dominates the SEO world, this won't be much motivates for sites to be more privacy respecting. But, sites with any virtue would strive to do better on a sense of moral responsibility alone.

          1. JohnFen Silver badge

            Re: Finger Printing and The DMCA

            That's an interesting idea, but how would a search engine be able to tell which sites are privacy respecting and which aren't? That's not just a question about technical capability, but also a recognition that even in the general pro-privacy community, there isn't really consensus on what counts as "privacy respecting".

            But I would love to see someone try! Even if it's not 100% accurate, it would probably be better than nothing.

    5. fidodogbreath Silver badge

      Re: Finger Printing and The DMCA

      If corporations can have a law that prevents circumvention of the what they do to protect their data (DMCA), then why can't we have one to prevent circumvention of tracking and privacy tools/controls

      When you have enough money to buy yourself some lawmakers, you can get a law too.

      1. GnuTzu Silver badge
        Mushroom

        Re: Finger Printing and The DMCA -- "It's a cookbook!"

        Yet, with so many of us knowing this, you'd think...

        Oh, it's a variant of too-big-to-fail. Somehow, the market must be made to thrive in order to serve consumers.

        Oh, now where's that Twilight Zone episode, "To Serve Man"? Oh yes: https://en.wikipedia.org/wiki/To_Serve_Man_(The_Twilight_Zone)

        Can't you just see the cookbook logic in the reasoning that somehow corporations have to come first? :/

        1. GnuTzu Silver badge

          Re: Finger Printing and The DMCA -- "It's a cookbook!"

          Responding to my own post (again)... When in a more reasonable state, I can see that the market is a system where consumer demand shapes corporations; and in serving consumers, corporations make the availability of the products known... throu... through... Oh, hell, manipulative, brainwashing, addiction inducing advertising and product design. Then using those techniques to manipulate politicians who also grew up under the influence of that very same enslaving advertising, so they think they're giving us something that will allow us to thrive--when so many of us are just frickin' chasing a carrot on a stick. Yes, the consumers are part of the problem! Damn, blame everybody!!!

        2. GnuTzu Silver badge

          Re: Finger Printing and The DMCA -- "It's a cookbook!" -- New Slogan

          We are no longer the consumers; we are now the consumed.

          1. Intractable Potsherd Silver badge

            Re: Finger Printing and The DMCA -- "It's a cookbook!" -- New Slogan

            @GnuTzu: Thank you for articulating over several posts my own thoughts on this far better than I could. What *is* isn't what *ought" to be, and yet there is no practical reason it couldn't be.

  4. JohnFen Silver badge

    Largely pointless

    "advertisers that want to see tracking cookies can ensure that they set the required attributes."

    This is why I consider this largely pointless, but it's probably a small improvement for people who just accept the default settings for everything. Personally, I'll just continue to block all third party cookies.

  5. Crazy Operations Guy Silver badge

    Google really needs to be broken apart

    While this is a very positive move forward, it feels very much like a 'fox guarding the hen house' situation. Google is in the business of tracking and profiling us and I can't help but think that they are leaving some intentional gaps in their policies to allow them to do their tracking, but lock out their competitors. Until the company is split, I will forever assume that any move on their part is a cynical ploy to make more money and/or eliminate competition.

  6. Anonymous Coward
    Anonymous Coward

    Google says "blunt approaches have been tried"

    And they fuck with our revenue model, so we are trying to claim our lesser solution is better!

  7. quartzz

    someone correct if wrong, but is Chrome ever going to have a decent cookie editor? Firefox you can list by last date used, size of cookies, name. Chrome, you can't sort by anything. if I want to delete cookies that haven't been used since 2 years ago, there is no way to list those in Chrome

  8. RyokuMas Silver badge
    Coat

    Speak for yourself...

    "Google's efforts to tighten web standards are welcome..."

    Given that these so-called "standards" are being put forward by a body with a vested interest in ensuring they retain their stranglehold on much of the web, to me these efforts are about as welcome as a fart in a wetsuit.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020