Google Chrome
Google has announced the introduction of future changes to Chrome, intended to improve privacy. The first part of the changes refers to the handling of cookies and the support of the SameSite attribute.
Starting with the release of Chrome version 76 (expected in July), the brand "same-site-by-default-cookies" will be activated that, in the absence of the SameSite attribute in the Set-Cookie header, the value "SameSite = Lax" will be set by default, which limits the sending of cookies.
For third-party site inserts (but sites will still be able to remove the restriction, obviously by setting SameSite = None when setting the cookie).
Attribute SameSite allows the web browser (Chromium) define situations in which the transfer of cookies is acceptable when a request comes from a third party site.
Currently, the browser sends Cookies on any request to the site for which cookies are set, even if another site is initially opened and the call is made indirectly by downloading an image or using an iframe.
About SameSite
Ad networks use this feature to track the movement of users between sites and attackers to organize CSRF attacks(When an attacker-controlled resource is opened, a request is hidden from its pages to another site where the current user is authenticated, and the user's browser sets session cookies for that request.)
On the other hand, the ability to send cookies to third-party sites is used to insert widgets on the pages, for example, to integrate with YouTube or Facebook.
By using the SameSite attribute, you can control the behavior when setting cookies and allow the sending of cookies only in response to requests initiated from the site from which these cookies were originally received.
SameSite can take three values "Strict", "Lax" and "None".
In strict mode ("Strict")Cookies are not sent for any type of cross-site requests, including all inbound links from external sites.
In the mode "Lax": Softer restrictions apply and cookie transfer is only blocked for cross-site requests such as an image request or content download via an iframe.
The distinction between "" Strict "and" Lax "comes down to blocking cookies when a link is followed.
Other changes
Of the other upcoming changes expected for future versions of Chrome, a strict limit is planned to prohibit the processing of third-party cookies for non-HTTPS requests (with the attribute SameSite = None, cookies can only be set in Safe mode).
In addition, work is planned to protect against the use of browser fingerprinting, including methods for generating identifiers based on indirect data such as screen resolution, a list of supported MIME types, specific parameters in the headers (HTTP / 2 and HTTPS), analysis of plugins and installed fonts.
As well as the availability of certain web APIs, Video card specific rendering functions using WebGL and Canvas, CSS manipulations, analysis of mouse and keyboard characteristics.
In addition, Chrome will have protection against labuses associated with the difficulty of returning to the original page after switching to another site (a good implementation, against sites that redirect you between pages).
We are talking about the practice of saturating the conversion history with a series of automatic redirects or artificially adding dummy entries to the browsing history (via pushState), as a result of which the user cannot use the «Back» button to return. back to the original page after a random transition or forced forwarding to a scam site.
To protect against such manipulations, Chrome in the back button handler will skip logs associated with auto-forwarding and visit history manipulation, leaving only the pages open with explicit user actions.
Source: https://blog.chromium.org/
And exactly how is the cookie set?