Google appears to be hard at work bringing forward new security features that build on previously implemented site isolation and keep cookies more private by brute force, based on new flag settings spotted by 9to5Google. In effect, the new settings allow users to browse normally but mark stored, trackable data from sites — cookies — as only useable via secured sites while only allowing certain cookies to be accessed at all by a given site, to begin with.
That all centers around how web developers either do or don’t handle their own cookies. The first experimental setting forces sites using the “SameSite” attribute but without an attribute provided to mark cookies as “SameSite=Lax” by default. That blocks cookies from one site when connected to another from being used under a range of conditions that would typically make them vulnerable.
The second experimental setting builds on that by forcing the browser to secure cookies from sites that haven’t marked the cookies with “SameSite” at all. The attribute is used to ensure that some data remains the same when users navigate from page to page within the same site — for example, keeping users logged in when they click a link on the site to move to another page.
The flag makes sure that unmarked cookies are marked as “Secure” wherever that can be done, effectively blocking the cookies entirely where web developers haven’t. Importantly, it will also block cookies when those are pulled from a website that isn’t HTTPS.
Stacking on top of more localized security
The changes build on Google’s previous efforts to isolate sites or associated data from being accessed maliciously but swing things in a web-based direction compared to some of those changes. Among the most recent related changes is the move undertaken by the company to ensure that sites remain isolated. Activated in Chrome 66, Google has already built on that before but this new change takes a more direct approach.
Site isolation works by cordoning off local memory resources on a user’s hardware from being accessed across sites. That eats up quite a bit more RAM and resources but it also prevents data from being accessed. The latest change suggests Google wants to force that level of security further at the browser level and for cookies themselves.
Turn it on, only in Canary
Both flags need to be enabled in order to take advantage of the features and that’s fairly straightforward but they are only present in Chrome’s Canary Channel for the time being. There’s no official timeline for a more full release on Stable Channels and there’s also nothing to guarantee they’ll be made available beyond the need to activate flags.
Because the change will impact the security aspects of Chrome, Google likely wants to take its time to be as certain as possible that it isn’t creating new problems or bugs.
To activate the flags themselves in Chrome Canary, users will need to navigate to the “chrome://flags” page and use the search bar at the top to first find the “#same-site-by-default-cookies” setting. That will need to be switched over to “Enabled” in the corresponding drop box menu. The second flag can be found by searching for “#cookies-without-same-site-must-be-secure” and the same steps will activate it.
After they’ve been switched to Enabled, users will need to reboot the browser with the appropriate button that should appear at the bottom of the browser window’s UI.