Chrome 80 is out with SameSite Cookie Changes and mixed content upgrades
Google released Chrome 80 to the Stable channel today; the new version of the web browser is available for all supported desktop operating systems -- Windows, Linux, Mac -- as well as mobile operating systems.
Desktop users may run a check for updates to update the web browser right away but the update should be distributed to most systems automatically in the coming days. If you want to run a manual check, load chrome://settings/help in the browser's address bar. Chrome contacts the update server to install the new version if one is discovered.
The big change in Chrome 80, apart from the usual security fixes and improvements, is the enforcement of the new cookie classification system. Google revealed plans in May 2019 to improve cookie controls and protections in the company's browser through the SameSite cookie attribute.
SameSite supports three values of which "lax" is the default in Chrome and the value is automatically set if no other value is set by the site. Lax offers a compromise between security and convenience by blocking cookies from being sent in third-party contexts unless developers set the value to "SameSite=None; Secure" which ensures that third-party cookies will only be sent over HTTPS connections.
Google published a video, aimed at developers, that explains the concept in detail.
The SameSite=Lax enforcement is being rolled out starting in February. Google plans to enable it for a small group of users and increase the availability over time.
Tip: if you don't want to wait, you can make the change right away. Load chrome://flags/#same-site-by-default-cookies in the browser's address bar to open the experimental flag. Set the flag to enabled and restart the Chrome browser to apply the change.
The test that Google created somehow fails to return the correct results when using the flag. According to Google, all rows of the test page should be green if SameSite=Lax is being used but that was not the case for one test row.
Developers may consult this Chromium blog post for additional information on using SameSite on their webpages.
Chrome 80 adjusts how the browser handles mixed content to improve accessibility. Mixed content refers to non-HTTPS content on secure webpages. A simple example would be an image or script that is loaded via HTTP on a HTTPS site.Â The new browser attempts to upgrade HTTP content to HTTPS by rewriting the URL. The content is still blocked if the upgrade fails, i.e. if the resource is not available via HTTPS.
Chrome 80 will only upgrade audio and video resources this way. Google plans to do the same for images loaded via HTTP on HTTPS sites in Chrome 81.
Deprecation of FTP support begins in Chrome 80 as well. FTP is still enabled in that release . In Chrome 81, FTP support is disabled by default but may be re-enabled using the flag or the startup parameter --enable-features=FtpProtocol. Chrome 82 won't support FTP anymore.
Notification requests are made less annoying in Chrome 80 as well. Google announced the change in January 2020 to combat an ever increasing number of sites that ask users for permission to push notifications to their systems.
Now You: what is your take on Chrome 80?Advertisement