Google team has introduced two experimental flags in Chrome that should make cookies safer for everyone by default, although they could cause problems for older websites.
Cookies are, among other things, a way for your browser to let websites know that you’re signed in. In the past, it was easily possible for malicious websites to take advantage of your browser being signed in to a particular other site to access private knowledge or do things you didn’t authorize. Since then, it’s become simple for web developers to manually protect your information by tagging their site’s cookies with “SameSite” and/or “Secure.”
The first flag ( # same-site-by-default-cookies ) tells Google Chrome to treat cookies that do not specify a SameSite setting as if they were set to Lax and this should keep them relatively safe from improper use without affecting the normal Internet browsing habits.
The second flag ( # cookies-without-same-site-must-be-secure ), if enabled, tells Chrome to also impose cookies that do not specify that SameSite is “secure”. If it is not possible for that cookie to be secure, as it comes from an insecure connection, Chrome will block it altogether.
This is a much more aggressive policy and will almost certainly cause problems for website users who have not yet made the transition to the HTTPS standard.
It’s hard to argue against the security benefits that these two policies offer, but there’s definitely some concerns to be shared. As the two flags are only just appearing in Canary, we’re not likely to see them reach stable until Chrome 76 at the earliest. That should give web developers plenty of time to test the flags and raise any potential issues to Google.