[PSA] SameSite-by-default cookie changes in M85

Skip to first unread message

Lily Chen

Jun 18, 2020, 12:28:13 PM6/18/20
to embedd...@chromium.org

Tl;dr: The base::Features for SameSite-by-default cookie changes have been enabled by default as of r777063. Embedders may adjust the affected cookie behavior in several ways described below.

What changed?

Two base::Features have been enabled by default:

Why does this matter?

These features enable changes with significant compatibility risk that affect how cross-site cookies are handled on close to half of all page loads. Given the magnitude of the potential impact, Chrome has been rolling out these changes with caution while monitoring metrics and web ecosystem feedback. User reports of site breakage are being tracked here, and bug reports are welcome via this template.

How can embedders modify this behavior?

Several options are available:

  1. Disable the base::Features. For example, this can be done when setting up the FeatureList in PostEarlyInitialization().

  2. Disable the SameSite-by-default behavior for cookies on select domains using "legacy cookie access semantics" content settings. Allowing legacy cookie access disables the new behavior, regardless of the state of the base::Features. Domain patterns can be specified as ContentSettingsPatterns and provided in the CookieManagerParams while creating a NetworkContext, and can also be updated dynamically via the CookieManager mojo interface.

  3. Disable the new behavior globally by using a CookieAccessDelegate that always allows legacy cookie access. This is also configured via CookieManagerParams.

Reply all
Reply to author
0 new messages