Chrome 80 debuts with a new cookie classification system. Google says the system is “secure by default”. It treats cookies with no declared SameSite value as SameSite=Lax cookies: “Only cookies set as SameSite=None; Secure will be available in third-party contexts, provided they are being accessed from secure connections,” Google says. It is worth noting developers have been aware of this change for some time. Google announced its plans for a new cookie classification system back in May 2019. Furthermore, Microsoft started testing SameSite cookies in Edge in May 2018. Of course, Edge is now based on Google’s Chromium web rendering language. It is unclear if Microsoft’s Edge team worked on the new cookies experience for Chrome 80.
Availability
The new version of Chrome is now available. However, the new cookie classification system won’t arrive until February 17 and even then, it will be limited to a set number of users. Over the weeks following that launch date, the change will reach all Chrome 80 users. “The new SameSite behavior will not be enforced on Android WebView until later, though app developers are advised to declare the appropriate SameSite cookie settings for Android WebViews based on versions of Chrome that are compatible with the None value, both for cookies accessed via HTTP(S) headers and via Android WebView’s CookieManager API. This does not apply to Chrome browser on Android, which will begin to enforce the new SameSite rules at the same time as the desktop versions of Chrome. The new SameSite behavior will not affect Chrome on iOS,” Google said in the launch timeline. If you want to see how Chrome works with the new system, you can check out the test page here.
