Last Updated on May 13, 2021
In February 2020 Google is rolling out Chrome 80. This update comes out around the same time as similar updates from Mozilla and Microsoft. All of the updates are going to be making security-focused changes. But this time some of those changes will be focused on cookie settings, specifically the SameSite=None setting. So let’s see if it’s going to change how your site works.
Note: If you’re looking for more detailed information at the web developer level, you can find some high-level info from Google on their Web.dev blog.
What are Third-Party Tracking Cookies?
Cookies are usually used to make a website visitor’s life easier. Cookies are used to do things like retain page settings, load certain views, or autofill usernames. Over time, your browser will collect cookies for a wide number of sites and save them in case you go back to any of those sites in the future.
Google isn’t changing this concept, but it is changing how your cookies are used if the domain changes. For example, if you’re visiting disney.com, and your browser saves a cookie, that cookie is linked to disney.com. But if you then navigate to marvel.com (owned by Disney), the cookie will now be considered “cross-site” (or often described as ‘third party’).
This is to stop cookies (and your personal information) being abused and to help protect web users’ online privacy. Being able to use the same cookies for multiple website domains, while useful, has created a weakness that hackers have exploited.
So, to keep websites and their visitors safe. Google has changed the default setting from SameSite=Lax to SameSite=None, so it will now assume if a cookie does not match the original domain it was created on, it will be considered a third-party cookie and it will ask the visitor if they want to accept this cookie or not.
What Does SameSite=None Mean?
If you’re running a business that has multiple domains you need to be aware of this change to ensure your users have a comfortable experience on your website. If you manage cross-site cookies, you need to set up a SameSite=None; Secure setting to those cookies. This will tell Google that the two websites are connected and that it does not need to warn users about third-party cookies.