Tech

Google Chrome to support same-site cookies, get anti-fingerprinting protection

Google announces two new privacy-focused features for Chrome at the I/O 2019 developer conference.

Written by Catalin Cimpanu, Contributor May 7, 2019 at 3:22 p.m. PT

Image: Google // Composition: ZDNet

More Google I/

Google plans to add support for two new privacy and security features in Chrome, namely same-site cookies and anti-fingerprinting protection.

Both features have been announced today at the company's I/O 2019 developer conference, and no deadlines have been provided for when the two will hit Chrome installations in the coming year.

Same-site cookies

The biggest change that Google plans to roll out is in regards to how it treats cookie files.

These new controls will be based on a new IETF standard that Chrome and Mozilla developers have been working on for more than three years.

This new IETF specification describes a new attribute that can be set inside HTTP headers. Called "SameSite," the attribute must be set by the website owner and should describe the situations in which a site's cookies can be loaded.

A SameSite attribute of "strict" will mean the cookie can only be loaded on the "same site." Setting attributes such as "lax" or "none" will allow the cookies to be loaded on other sites as well.

TL;DR: `SameSite=Lax` by default. Folks who require cross-site access can opt-into the status quo via `SameSite=None`, but doing so will require asserting `Secure` as well.
— Mike West (@mikewest) May 7, 2019

In layman terms, this creates a dividing line between cookies, which will become ether same-site or cross-site cookies.

Google hopes that website owners will update their sites and convert old cookies that they were using for sensitive operations, such as login operations and managing per-site settings, to same-site cookies.

All old cookies that don't have a SameSite header will automatically use a "none" attribute, and Chrome will consider them as cross-site --or tracking-- cookies.

Google said today that it plans to add options in Chrome's setting panel so users can view "how sites are using cookies, as well as simpler controls for cross-site cookies."

It is unclear if these "simpler controls" will let users block cross-site (tracking) cookies altogether, but Google promised to preview these features later this year.

Firefox has added support for cross-site cookies since April 2018, with the release of Firefox 60. Chrome has supported same-site cookies since 2016, but the browser will start requiring the attribute starting later this year.

As an added benefit, websites that use same-site cookies are also protected against a series of attacks, such as cross-site request forgery (CSRF) attacks. Using same-site cookies means malicious code loaded on a third-party website can't pull and read a cookie on another domain --because the "SameSite: strict" attribute in the cookie's header will block this from happening.

Even if Google won't deliver on its promise to add controls to block cross-site (tracking) cookies, just by supporting the SameSite attribute, Google will greatly improve the security posture of many websites and web applications, as CRSF attacks are some of the most common today.

More details about the SameSite IETF specification --currently a draft-- are available in RFC 6265, on the MDN portal, and in this introductory blog post on Google's web.dev tutorial site.

Anti-fingerprinting protection

See als

10 dangerous app vulnerabilities to watch out for (free PDF)

But Google engineers also announced a second major new privacy feature for Chrome today at the I/O 2019 developer conference.

According to Google, the company plans to add support for blocking certain types of "user fingerprinting" techniques that are being abused by online advertisers.

Google didn't go into details of what types of user fingerprinting techniques it was planning to block. It is worth mentioning that there are many, which range from scanning locally installed system fonts to abusing the HTML5 canvas element, and from measuring a user's device screen size to reading locally installed extensions.

The first major browser to block fingerprinting scripts/techniques was the Tor Browsers, which had to do so to prevent the deanonymization of its users. This feature was later backported back into the Firefox browser, just as Mozilla was, too, shifting to a privacy-first approach that the company set on in late 2017.

Now, in a I/O conference that has centered around announcements of new privacy-focused services and features for its users, Google said that Chrome would be receiving an anti-fingerprinting feature as well.

"Because fingerprinting is neither transparent nor under the user's control, it results in tracking that doesn't respect user choice," the company said today.

"This is why Chrome plans to more aggressively restrict fingerprinting across the web. One way in which we'll be doing this is reducing the ways in which browsers can be passively fingerprinted, so that we can detect and intervene against active fingerprinting efforts as they happen."

But, why!?!

Some users might be asking themselves as to why is Google --a company that makes the bulk of its profit from online advertising and tracking users-- is now shipping these privacy features, which are expected to have a big impact on its business.

The answer is simple. With ad blockers extensions that have a "scorched earth" approach to blocking intrusive tracking scripts, Google is attempting to control the eventual decline of online advertising profits.

In recent months, the company has gone as far as to include a basic ad blocker inside Chrome and has even attempted to neuter ad blockers through a very controversial update to its extensions ecosystem.

Ad blockers are here to stay, and Google's best chance right now is to reduce their damage by setting itself in firm control of what privacy and ad-blocking features users have access to by default --in an attempt to control the entire ecosystem before users get too used to the current state of affairs.