In case you missed it, Google Chrome will change the way they handle SameSite cookies for security purposes, which could impact your eCommerce site and other apps reliant on cookie tracking. Even if most of your users don’t use Chrome, Microsoft and Mozilla have indicated that they plan to implement similar policies on their own timelines.
If you sell online and any of your applications use cookie tracking (which they most likely do), you could be impacted by this update. It’s important you familiarize with this Google Chrome policy and check its impact on your site.
Last year, Chrome announced a secure-by-default model for cookies, enabled by a new cookie classification system. The purpose of the change is to improve privacy and security across web browsing. This new model will be implemented on February 4th, 2020 as part of the Chrome version 80 update.
So, what’s changing exactly?
This new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, “SameSite=None”, to designate cookies for cross-site access. When the “SameSite=None” attribute is present, an additional secure attribute must be used so cross-site cookies can only be accessed over HTTPS connection.
Read more about the new cookie model on the Chromium Blog.
Why make the change to SameSite Cookies?
Before this model, developers weren’t following recommended practices to mark whether a cookie is only intended to be accessed in a first party context, meaning the domain name associated with the cookie matches the user’s address bar, to prevent external access. As a result, many same-site cookies are needlessly exposed to security threats like Cross-Site Request Forgery (CSRF). CSRF is how an attacker might be able to cause you to navigate to a website in a tricky way and then use your unique cookie identifier to access or authorize your browser to do something malicious like transferring money out of your bank account.
Read more about SameSite cookies in practice and what CSRF is.
Beyond security concerns, the purpose of this policy is to give users greater transparency and control over to manage cookies accessed over multiple sites. These cross-site cookies are often used for external services for advertising, content recommendation, third party widgets, social embeds and more. It’s no surprise that user data privacy and control is becoming a prominent topic with the emergence of privacy laws like GDPR and CCPA.
How SameSite Cookies Policy Affects eCommerce Sellers
For Magento website owners, this may have some wide-reaching implications. Whether you realize it or not, your site may be reliant on cookies that fall into this category. For instance, you may have software like NewRelic running on your server, or you may be using an iFrame for a secure payment gateway, like PayPal, both of which are known to use such cookies. Additionally, if you have multiple domains and share cookies for your different sites, you may be impacted.”
Read more about the policy’s impact for Magento users from the JetRail’s blog.
As apps are loaded in the BigCommerce Control Panel using an iframe, any cookies that your app uses will be considered “cross-site” cookies from Chrome’s perspective. This includes things like session cookies which may be absolutely essential for your app to function.
Therefore, if these cookies are not set to have a SameSite=None; Secure policy, they will not be sent from the browser at all, and your application may fail to function as intended.“
Read more from BigCommerce’s Developer Changelog here.
Since embedded Shopify apps run in an iframe on a different domain than the Shopify admin, they are considered to be in a third-party context.
If an app depends on session cookies for authentication but cookies are misconfigured, then Shopify might display the following error in the Shopify admin: The application can’t be loaded, check that your browser allows third-party cookies.
Read more about how to work with the SameSite cookie attribute for Shoify here.
If you’re unsure whether this policy will impact your site, it’s important to work with your developers or software vendor to ensure your site is ready to handle these changes. For developer guidance, Web.dev put together a helpful SameSite Cookies guide that shows how to explicitly mark your cross-site cookies.
After February 4th, be sure to monitor your site and user traffic for any errors that could be a result from this policy change.
Do you know of any other great resources for SameSite cookies? Leave recommendations in the comments below!