Throughout the years, Google (the search engine giant) has always been an advocate for ensuring proper website security when browsing the internet and have paved the way through its own popular browser, Chrome.
Back in 2011, they chose to move all their services to HTTPS by default, proving that they were years ahead of when the public started taking a serious look at security. And in 2014 they decided to increase security even further by publicly announcing that HTTPS was now a ranking factor in Google search. This significant change forced the digital community to switch from HTTP to HTTPS protocols in order to be found on Google. In 2018, Google Chrome identified HTTP sites as ‘not secure’, highlighting the lack of encryption and making it obvious for website owners and visitors alike.
The latest expected update, Chrome 80 is said to be one of the most significant ones yet, with the update potentially introducing a number of problems such as users being blocked from certain websites as well as the introduction of user experience problems. The update is expected to roll out SameSite Cookie changes that will assumedly interfere with certain website’s functionality, making it so that Cookies will only be available to third-parties if they’re being accessed from secure connections.
The purpose of this SameSite function on a cookie update is to control its cross-domain behaviour. SameSite is said to be a reasonable defence against some classes of cross-site request forgery (CSRF) attacks, but as it stands, developers need to choose to opt into its protection by including a SameSite attribute. If they don’t, websites are vulnerable to CSRF attacks unless otherwise specified. The change in the latest Chrome 80 update will ensure that websites are protected from this by default.
Google has expressed its plans and ultimate goal to the public, which is to phase out support for third-party cookies in Chrome altogether. The change was inspired by people expressing a desire for greater privacy and control over their data. Google also stated that their goal was to develop a better, more efficient system that would work for the whole web ecosystem, including publishers.
The plan to force third-party cookies onto HTTPS was first revealed in May 2019, allowing website admins enough time to update their websites and make sure that no problems would occur in lieu of the launch. But just in case you didn’t get the news, here is a quick guide on how to check for, and fix mixed content issues on your website.
The first step involves carrying out a site audit on your website, checking every webpage and looking out for resources that may begin with, http:// instead of https://. Only use https:// URLs when loading resources on your page.
You might find some resources are not available over https://, in which case, do one of the following, either add the resource from a different host if one is available or download and host the content on your site directly if you are legally allowed to do so. When and if you find any pages beginning with http:// promptly seek to change them by saving the source file and redeploying the updated file if necessary.
To make sure that the change was successfully made, view the page where you found the error originally and verify that the error no longer appears.
As is proper practise, Google often rolls out new features and other changes in stages, making sure to verify that updates have worked as expected before releasing the changes to the public. Enforcement of the new cookie classification system in the Chrome 80 update was released in February 2020 to a small select group of users. If the update functions as planned, the world can expect it to be gradually distributed over time and thus, become the new global standard for website security.