Tomorrow, February 4th, the latest Chrome update (v80) will make a significant change in how the browser handles cookie security. Embedded views on websites, especially those hosted on separate domains, may not load correctly after this update. The change will not impact every web application, but anyone using Tableau, Power BI, or Power Apps to embed content in cross-domain websites will want to review their functionality on Chrome 80. We want to make sure our clients and fellow developers are aware of this issue and know how to solve it.
Understanding Security for Cookies
Cookies are a ubiquitous way for web applications to track various bits of data about their users from what’s in their shopping cart to their user authentication information. At its core, a cookie is nothing more than a small bundle of data sent to a user’s web browser and stored on the user’s computer or device. Cookies are useful to pass information from one web page to another without encoding it as a URL parameter, which is markedly less safe for sensitive information. Cookies may contain attributes that determine, for example, how the cookie may be used or when the cookie will expire and be deleted. Cookies are associated with the domain that created them and are primarily intended for use by that domain—third-party tracking cookies are perhaps the most famous exception to this rule.
When consumed by third parties (like web applications outside the cookie’s prescribed domain), cookies can represent a privacy and security threat because they contain information about a user and his or her activities. Because of these concerns, the SameSite cookie attribute was created to allow control of the delivery of a cookie based on a request’s domain. If SameSite is set to Strict, the cookie data will only be sent in connection with requests from the cookie’s originating domain (first-party requests). If SameSite is set to Lax, the cookie is only sent upon same-site (first-party) requests or top-level navigation using a secure HTTP method. If SameSite is not used, there are no restrictions on the cookie and it will be sent with every request.
How Chrome is Changing Cookie Security
Chrome v80 is changing its default behavior to assume SameSite=Lax if the SameSite attribute isn’t set. Chrome will only serve cookies without restriction if the SameSite attribute is set to None, a new value created for this purpose. Therefore, any web applications that rely on serving cookies across domains will no longer function as intended unless they add SameSite=None to their cookies’ headers. The rationale for the change is that most web applications don’t need cross-domain functionality and are needlessly exposed to Cross-Site Forgery Request (CSRF) attacks with the current default behavior. Thus, forcing web developers to make an intentional choice to allow unrestricted third-party transmission of their cookies is the safer option.
Unfortunately, updating a web application to address the v80 change isn’t necessarily as simple as it might seem. First, not all languages currently support the None value which may result in extra work for developers to find a work-around. Second, many browsers will not recognize None as a valid value and enforce invalid SameSite values as if SameSite=Strict were set—potentially resulting in a need for the creation of browser-specific exceptions.
How to Make Sure Embedded Views Work in Chrome 80+
To ensure your embedded views or content function correctly, you need to do one or both of the following:
- Make sure your embedded content is hosted on the same root domain as the website you are embedding the content on.
- Make sure your cookies intentionally allow for cross-domain content.
For more in-depth information about this issue, see the following articles:
v80: Cookies default to SameSite=Lax
v80: Reject insecure SameSite=None cookies
Developers: Get Ready for New SameSite=None; Secure Cookie Settings
Official Work-Around Instructions from Tableau
Microsoft forum discussion on Stream update regarding this issue
