Chrome Canary Samesite

broken image


We have been asked a few times about the new rules regarding SafeSite cookies that are going to be fully implemented in Google Chrome and Google Chrome based browsers from February. This blog post is to explain what these changes mean for your use of Beacon.

In summary

We have already made all the changes we need to handle changes to cookie policies in the main web browsers and there are no changes required in your use of Beacon.

In more detail and more about Same Site security

You need to run a Canary build of Chrome with the -enable-features=SameSiteDefaultChecksMethodRigorously command line option specified. This means that you can't just 'launch' the Chrome Canary build but that you need to run it from a terminal or command line. The errors in the Chrome console are like this. A cookie associated with a cross-site resource at was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. Google Chrome is getting a dedicated page within 'Settings' to manage cookies. The page is currently available on the Canary version of Chrome but is empty. Chrome Cookie Management. Google is working on different ways to make cookies on Chrome secure and easy to manage. You might have already read about the SameSite cookie change.

What is Same Site security and why does it matter now?

Cookies are one of the methods available for adding persistent state to web sites. Over the years their capabilities have grown and evolved, but left the platform with some problematic legacy issues. To address this, browsers (including Chrome, Firefox, and Edge) are changing their behavior to enforce more privacy preserving defaults.

Same Site security is an old policy that was introduced for cookies to identify their intent. Cookies that match the domain of the current site, i.e. what's displayed in the browser's address bar, are referred to as first-party cookies. Similarly, cookies from domains other than the current site are referred to as third-party cookies. This isn't an absolute label but is relative to the user's context; the same cookie can be either first-party or third-party depending on which site the user is on at the time. Cookies have often been abused by digital marketing platforms to track users' interests and advertise to them, often without the user knowing this is happening, or consenting to their data being used in this way.

Recent international interest in privacy and data security, combined with GDPR legislation in the EU (with similar legislation in the US and other territories) has bought the whole area of cookies and how they are used (and abused) under public scrutiny.

While currently Firefox and Safari have a policy to block all tracking systems using 3rd party cookies without any information about intent, the digital ad industry (of which Google is a significant part) know that this could result in crippling the digital ecosystem, as an unintended consequence of rightly protecting people's privacy. Therefore, Google has gone down the route of allowing websites to inform how open the cookie is, so they don't block none malicious tracking while the default will be to block trackers that monitor an individual browser as a single entity across multiple sites

Google Chrome Canary

See

What Beacon is & is not.

Beacon is not a tool for advertising to people or sorting people into groups or categories to advertise to. Beacon is a tool for monitoring the success of a digital activity, which may include adverts from ad platforms, such as Facebook promoted posts or Google AdWords. We only monitor users on a per-site basis; we do not track users across different Beacon customers.

How to test new SameSite security rules.

For anyone not aware you can test your systems using SameSite rules by installing Chrome canary build. Once that's installed you can open it and go to the flags URI by typing the following into the address bar: 'chrome://flags'.

Once on this page use the search bar at the top to search for SameSite and enable all the options presented. Once this is done you will have a re-launch button in the bottom right of the browser click it and Chrome Canary will be running with the soon to come SafeSite rules, see the screenshot below:

How BWAI uses cookies and evidence.

For this example, I'm going to use a charity site setup by one of my colleges https://www.umbr.uk. This is for 2 reasons; the first because this is a small site that is easy to show examples with. Secondly, it's not on our domain and therefore SameSite rules will not trust thisisbeacon.com domains for this site, unlike if I tested with www.thisisbeacon.com.

When visiting the site if you bring up the inspector (right click inspect) and go to the console you will see some warnings about blocked cookies,

The first is from our legacy tracker (which is being removed early in 2020 as we no longer support it); to show this if you switch to the Application tab and then expand Cookies (on the left hand sidebar) and then click on your domain it will show the cookies in use on that domain.

Here you can see this website has 2 cookies, the first is bwai this is our new system cookie which is locked to only this site and prevents us from identifying a browser visiting multiple sites, as per our GDPR policy, which protects the information of the users using our clients site.
The second, as you can see has been blocked (in yellow): this is our legacy tracker mentioned above.

Another way to see that our system is still operating fully within the Chrome Canary build is to type bwai into the console. The following information will show up once Beacon has loaded and is operating correctly:

Please note that this object will not become available if there are errors at any point during page load/set-up.

Chrome Canary Samesite

What Beacon is & is not.

Beacon is not a tool for advertising to people or sorting people into groups or categories to advertise to. Beacon is a tool for monitoring the success of a digital activity, which may include adverts from ad platforms, such as Facebook promoted posts or Google AdWords. We only monitor users on a per-site basis; we do not track users across different Beacon customers.

How to test new SameSite security rules.

For anyone not aware you can test your systems using SameSite rules by installing Chrome canary build. Once that's installed you can open it and go to the flags URI by typing the following into the address bar: 'chrome://flags'.

Once on this page use the search bar at the top to search for SameSite and enable all the options presented. Once this is done you will have a re-launch button in the bottom right of the browser click it and Chrome Canary will be running with the soon to come SafeSite rules, see the screenshot below:

How BWAI uses cookies and evidence.

For this example, I'm going to use a charity site setup by one of my colleges https://www.umbr.uk. This is for 2 reasons; the first because this is a small site that is easy to show examples with. Secondly, it's not on our domain and therefore SameSite rules will not trust thisisbeacon.com domains for this site, unlike if I tested with www.thisisbeacon.com.

When visiting the site if you bring up the inspector (right click inspect) and go to the console you will see some warnings about blocked cookies,

The first is from our legacy tracker (which is being removed early in 2020 as we no longer support it); to show this if you switch to the Application tab and then expand Cookies (on the left hand sidebar) and then click on your domain it will show the cookies in use on that domain.

Here you can see this website has 2 cookies, the first is bwai this is our new system cookie which is locked to only this site and prevents us from identifying a browser visiting multiple sites, as per our GDPR policy, which protects the information of the users using our clients site.
The second, as you can see has been blocked (in yellow): this is our legacy tracker mentioned above.

Another way to see that our system is still operating fully within the Chrome Canary build is to type bwai into the console. The following information will show up once Beacon has loaded and is operating correctly:

Please note that this object will not become available if there are errors at any point during page load/set-up.

Google Chrome Vs Canary

The astute among you will notice that the cookie shown in this object matches the bwai cookie from the last image, and if you refresh the page and type bwai into the console again you will notice it matches.

Conclusion

What I Did Is The Following: In Session_store.rb I Configured: MyApp::Application.config.session_store :cache_store, Key: COOKIE_NAME, :expire_aft...

The changes to cookie usage and the reinforcement of Same Site information is a good step towards protecting individual's privacy and allowing those individuals to be informed about how their data is used, as required by GDPR. At Beacon, we fully support these moves, and have taken steps to ensure that our Beacon platform works fully within these requirements.





broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save