PSA: Enabling SameSite cookie features via Finch on M78 Beta

[Lily Chen]

Hi API owners,

We plan to enable Cookies default to SameSite=Lax and Reject insecure SameSite=None cookies as well as Display alerts for SameSite cookie changes in the developer console via Finch on M78 Beta. The first two will be rolled out as a 50% experiment, and the latter rolled out to 100% of users.

We will be looking at metrics such as page reload rates and browsing data clearing rates to evaluate the effect of the changes on page breakage.

The web.dev post linked from the ChromeStatus pages (which are linked from the console messages) has instructions on enabling the features for local testing.

Thanks,

Lily

[Chris Harrelson]

This plan LGTM. There is some risk sites will be confused about why something would be broken 50% of the time on the beta channel, but this feature needs more data to help unblock success, and I think there is a good chance data on the beta channel will help.

[Lily Chen]

Hi API owners,

Just wanted to check in again about this: We were intending to exclude enterprise users from the Beta experiment via the Finch is_enterprise filter (to avoid disruptive breakage), limiting the experiment to those platforms on which the is_enterprise filter is supported (Win/Mac/CrOS), but we've learned that the filter is not a perfect classification and may miss some enterprise users that aren't recognized as such.

Is it still ok with y'all to experiment on Beta, knowing that we may risk breakage to some fraction of enterprise users (as any Win/Mac/CrOS Beta users not recognized as enterprise may receive the experiment)? (i.e. we risk breaking 50% of Beta users on Win/Mac devices who are enterprise but device is not domain-joined, and 50% of Beta users on CrOS who are enterprise but device is not enterprise-registered). (The Finch config that we currently have is at cl/269412240, if you're curious.)

Thanks,

Lily

[Chris Harrelson]

Is it possible to omit all users who don't opt into experimentation?

[Lily Chen]

We decided to defer the Beta experiment from M78 to M79, and have the enterprise opt-out policies implemented by then. That way the Finch enterprise filter will not be necessary as enterprises can opt-out via the policies. (And gives them extra time to test their policy configuration.)

We are still planning to experiment on Canary and Dev in M78, filtering out enterprise users where we can (even though the filter is imperfect).

Does that sound reasonable?

[Chris Harrelson]

This sounds reasonable to me!

--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-d...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CAE24OxzuDsXvhDQbA42MhO1tbTmzMikDg1Zr1PtSRg122wMjcQ%40mail.gmail.com.