Chrome Update Could Affect Web Applications and Single Sign-On Sites

Last Updated: 02/13/2020

Google has announced that starting the week of February 17, Chrome will begin enforcing a new secure-by-default cookie classification system which will impact how Chrome handles cross-site (third-party) cookies. Only cookies set as SameSite=None; Secure will be available in third-party contexts, provided they are being accessed from secure connections.

Service and application owners who have sites that utilize CU Boulder’s Federated Identity Service for single sign-on are encouraged to test their applications and services. This MIT knowledge base article provides instructions for testing applications by updating settings in both Chrome and Firefox to emulate the forthcoming default behavior in Chrome. Since Chrome makes an exception for cookies set without a SameSite attribute less than two minutes ago, testing in Firefox is also valuable. While it hasn’t been officially announced yet, Mozilla Firefox is also likely to update its default handling for cross-site cookies.