Security news that informs and inspires

Google Wants to Change How Cookies Are Used


Google has to walk a fine line between collecting as much information as possible to deliver personalized user experience and knowing so much about the individual user that it becomes creepy. The balancing act doesn’t always work, but that hasn’t stopped the company’s engineers from tinkering with new privacy-focused features.

Google I/O, the company’s developer conference, is a good place to announce new privacy features “coming soon” in Android Q, smartphones, and other Google services. It’s also a good time to bury changes in how the company will handle the way web browsing currently works because there’s so many other things going on. In particular, Google announced changes to how it will handle HTTP cookies in Chrome.

Cookies are multi-purpose, as they can be used to tell websites that the user is a repeat visitor to the site, let the user turn on the “remember me” option when logging in, keep items in the shopping cart even after the user navigates away from the page, serve up personalized ads and content based on past behavior, and track the user from site to site. Most browsers now prompt before allowing a site to store cookies, but for the most part, browsers can’t tell the difference between different types of cookies. If the browser knew how to distinguish between a cookie that keeps the user logged in and a cookie that track the web activity, privacy-conscious users can keep clearing out the “bad” cookies (tracking) without giving up the “good” cookies (logged in).

“Unfortunately, to browsers, all of these different types of cookies look the same, which makes it difficult to tell how each cookie is being used — limiting the usefulness of cookie controls,” Ben Galbraith director of Chrome product management and Justin Schuh, director of Chrome Engineering.

What’s needed, are cookies that can tell browsers their purpose, and controls that are designed to handle specific types of cookies.

“Blunt solutions that block all cookies can significantly degrade the simple web experience that you know today, while heuristic-based approaches—where the browser guesses at a cookie's purpose—make the web unpredictable for developers,” Galbraith and Schuh said.

Later this year, Google will add new features to Chrome that will provide transparency on how sites are using cookies. The first step, before making changes in Chrome, is modifying how the cookies work. To do that, Google will require website developers to assign a cookie attribute specifying what the cookie will be used for. Developers would have to say in the attribute whether it will work across websites. The mechanism will be built on the web’s SameSite cookie attribute.

“This change will enable users to clear all such cookies while leaving single domain cookies unaffected, preserving user logins and settings,” the engineers wrote. “It will also enable browsers to provide clear information about which sites are setting these cookies so that users can make informed choices about their data.”

The security benefit is also clear, since cookies won’t be able to be abused in cross-site injection and data disclosure attacks, or cross-site request forgery (CSRF). A CSRF attack tricks the user’s browser into submitting the cookie to the target server, even if the request wasn’t generated from the site. With the same-site setting on the cookie, the target server won’t be tricked since the cookie will only be sent if the request originated from the same site or domain. Google also plans to eventually make cross-site cookies function only over HTTPS connections.