0

There is a new attribute for cookies called SameSite that is by default set to allow Get requests for cross-sites to prevent CSRF via other HTTP Verbs.

As far as I know all targeted ads are heavily relying on cross-site cookies. Now if browsers or a plugin for a browser would just intercept all the cookies and set them to SameSite Strict, would not that effectively mean end of targeted ads? (At least the cross-site type we are seeing all the time now, when you see something you recently checked on amazon being advertised "everywhere" after that).

Ilya Chernomordik
  • 27,817
  • 27
  • 121
  • 207

1 Answers1

1

No.

The SameSite attribute is not new, what's new is the introduction of an explicit None value and the adoption of new defaults described by the Incrementally Better Cookies draft. This means that instead of cookies being sent with all requests by default, they must be explicitly marked for cross-site transfer.

That's it. Mark cookies as SameSite=None; Secure and they retain their legacy behaviour enabling them to be sent on cross-site requests as often utilised by advertising platforms.

You can read https://web.dev/samesite-cookies-explained for more context.

Community
  • 1
  • 1
rowan_m
  • 2,893
  • 15
  • 18
  • Yes, this is correct what you write, but won't it be possible to very easily write a plugin to a browser that will set all the cookies to be like that? Effectively preventing all cross-site cookies – Ilya Chernomordik Jan 06 '20 at 18:52
  • Blocking all third-party cookies is already a built-in setting in Chrome. This change means that cookies now need to expressly mark their intent to be available in a third-party context. – rowan_m Jan 07 '20 at 20:26
  • Thanks for info, did not know it's already allowed. I have turned it on :) – Ilya Chernomordik Jan 07 '20 at 21:04