{"id":7951,"date":"2020-09-02T09:24:46","date_gmt":"2020-09-02T07:24:46","guid":{"rendered":"https:\/\/www.recolize.com\/?p=7951"},"modified":"2020-09-17T11:06:48","modified_gmt":"2020-09-17T09:06:48","slug":"browsers-restrict-cookies-2020","status":"publish","type":"post","link":"https:\/\/www.recolize.com\/en\/blog\/browsers-restrict-cookies-2020\/","title":{"rendered":"How Browsers Restrict Cookies in 2020"},"content":{"rendered":"
\n \n
<\/div>\n\n
\n
\n
\n

A lot of things are changing in the online world these days at a very fast pace. Especially the trend regarding privacy concerns that has widely been started with the GDPR in Europe, now makes its way to the rest of the world. As a result more and more browser vendors are starting to put privacy at their top priority. This results in a lot of changes on how browsers restrict cookies which we will have a deeper look at.<\/p>\n

<\/p>\n

Note: if you think it’s a smart idea to circumvent cookies by using browser local storage, please be aware that browser vendors are also imposing restrictions on them, so this won’t be a long-lasting solution. In addition local storage is a same origin solution, which means you will have different storages for www.recolize.com and tool.recolize.com.<\/p>\n

The goal of browser privacy<\/h2>\n

Apple’s Safari was one of the first browsers enabling more privacy-friendly settings by default. With their so-called “Intelligent Tracking Prevention<\/a>” logic (ITP) in 2017 they started to limit tracking across different sites. Lately in 2020 also they are the ones pushing mobile advertisers to find new solutions for example by restricting the use of the App Advertising ID<\/a> on iPhones in iOS 14.
\nOther browser vendors like Google Chrome or Mozilla Firefox are also already doing similar approaches or looking into it.<\/p>\n

Basically what all measures by the browser vendors have in common is to limit tracking of their users across different sites. Therefore there are 3 basic concepts that all browsers more or less do follow:<\/p>\n

    \n
  1. Drastically limiting expiry time of third-party cookies<\/li>\n
  2. Prohibiting cookies in unsecure contexts<\/li>\n
  3. Limiting expiry times of content created in JavaScript context (e.g. cookies or browser local storage)<\/li>\n<\/ol>\n

    As it is very difficult to stay on top on how the different browsers restrict cookies and local storage, the website cookiestatus.com<\/a> is a very good information source:<\/p>\n<\/div>\n

    \n \n \"\" <\/a>\n <\/div>\n
    \n

    What to do with your cookies now ?<\/h2>\n

    Basically there are 3 important cookie attributes:<\/p>\n

      \n
    1. HttpOnly<\/code>: this cookie attribute guarantees that the cookie cannot be access by JavaScript at all.<\/li>\n
    2. Secure<\/code>: this cookie attribute transmits cookies only in case that you are accessing the URL via HTTPS<\/li>\n
    3. SameSite<\/code>:
      \nThe attribute can have the values Strict<\/code>, Lax<\/code> or None<\/code> that tell the browser in which context the cookie is allowed to be accessed, with the first one being restricted to the same site requests. Whereas the latter has no restrictions for cross site requests, that means the cookie will be attached to any request which imposes the       security risk of CRSF<\/a>.
      \nFor a detailed explanation see the       excellent post on the Google Blog<\/a> and the Mozilla documentation<\/a>.<\/li>\n<\/ol>\n

      With the information derived from above we can conclude the following measures for your cookies:<\/p>\n