how cute
Oh look Google is finally getting around to do an inferior job to what Privacy Badger has been doing for me for years now.
Next week Google is scheduled to release Chrome 80 to its stable channel, and says only "a very modest amount of breakage" of websites is expected. The reason web publishers might see "breakage" – which can mean anything from the loss of certain user-facing features to backend analytics errors – is that Chrome 80 handles HTTP …
Joe Nasty also has to ensure it takes care of buggy clients, else they'll get the wrong result from them.
samesite=none;secure just means the cookie has to have been transmitted over a secure channel (https) from the 3rd party server, therefore protecting it from snooping in transit.
I'm struggling also to see what huge leap making the bad cookie originate from a https server offers up to defeating various attacks in this case.
Also a value of none breaks older browers that won't rend the page as a result. Previously it had to be missing, lax or secure to be valid.
Quote from theverge article referenced above.
"After complaints, Google was forced to reveal it had launched an “experiment” on stable versions of Chrome that had changed the browser’s behavior. The experiment was made silently, without IT admins or users being warned about Google’s changes."
Firefox allows you to disable 'experiments' and 'studies' through both the preferences page in the GUI and through the about:config list for more granular control. Is there an equivalent in Chrome?
Icon: just upgraded the missus to Windows 10 and she is a Chromie
So, how long now before Chrome directs ALL web traffic through Google's servers, and unilaterally insists on Google mandated HTML extensions on every page it allows - for the safety and security of its' captive users of course?
SameSite comes from IETF and is supported in all major browsers not named Safari. Google is just changing default behaviour to gradually push it to strict, which would improve overall safety on the web. While I'm not one to blindly defend the sometimes ridiculous shenanigans Google gets up to, this isn't really in that category.