First step in cookies lockdown
Chrome 80, which arrived this week, begins the process of locking down cookies and includes patches for 56 vulnerabilities.
Google this week released Chrome 80, beginning a promised process of locking down cookies and at the same time patching 56 vulnerabilities.
The California company paid at least $48,000 in bug bounties to researchers who reported some of the vulnerabilities. Ten were tagged as “High,” the second-most serious in Google’s four-step threat ranking. Half of those 10 were submitted by engineers of Google’s own Project Zero team.
Chrome updates in the background, so most users can simply relaunch the browser to finish the upgrade. To manually update, select “About Google Chrome” from the Help menu under the vertical ellipsis at the upper right; the resulting tab shows that the browser has been updated or displays the download process before presenting a “Relaunch” button. Those who are new to Chrome can download the latest for Windows, macOS and Linux here.
Google updates Chrome every six to eight weeks. It last upgraded the browser on Dec. 10, 2019.
Enforcement of cookie-control starts now
Last year, Google said it would clamp down on cookies – the small bits of code websites rely on to, among other things, identify individual users – using the SameSite standard. SameSite, which has also been pushed by Mozilla and Microsoft, was designed to give web developers a way to control which cookies can be sent by a browser and under what conditions.
With Chrome 80, Google will begin enforcing SameSite, said Barb Smith, a Google executive, in a Feb. 4 post to the Chromium blog. Cookies distributed from a third-party source – in other words, not by the site the user is at – must be correctly set and accessed only over secure connections.
“Enforcement of the new cookie classification system in Chrome 80 will begin later in February with a small population of users, gradually increasing over time,” Smith wrote. Google frequently rolls out new features and other changes in stages, letting it verify that things worked as expected before expanding the pool of users. The company has set the week of Feb. 17 as the opening switch-on-SameSite salvo.
Also, as of Chrome 80, cookies without a SameSite definition will be considered as first-party only by default; third-party cookies – say, those from an external ad distributor tracking users as they wander the web – won’t be sent.
It’s complicated – for users, even IT admins, if not for developers – as this Google video demonstrates. But the result will likely be an aggressive push by Google, using the club of Chrome’s dominance, to motivate site makers and other cookie distributors to get behind the SameSite standard.
SameSite is not Google’s answer to the increasing anti-tracking positions being staked out by rivals such as Mozilla and Microsoft. Google has emphasized SameSite’s security prowess – preventing cross-site request forgery (CSRF) attacks, for instance – not any privacy benefits.
That’s no surprise.
No more notification nagging? That would be great
Chrome 80 also implemented the quieter notifications that Google pledged last month.
Rather than let sites place pop-ups on the page requesting permission to send notifications, Chrome 80 features an alarm bell icon with a strike-through near the right edge of the address bar. The first time Chrome presents the quiet UI, an in-browser dialog, which can be dismissed, will explain the feature.
Users will be able to engage the new notification UI manually using an option in Settings > Advanced > Privacy and security > Site Settings > Notifications. Toggling the “Use quieter messaging (blocks notification prompts from interrupting you)” switch turns on the pop-up blocker. Google has said it would also automatically enable the quieter UI for some. Those who “repeatedly deny” the notification requests will be auto-enrolled. Google will automatically silence some sites as well.
Not all users will see the less-intrusive notification requests immediately; although Google promised that Chrome 80 would launch the feature, Computerworld‘s copies of the browser did not yet show the new UI.
Tab groups supposed to begin to show
Tab groups are also supposed to debut in Chrome 80, but that, too, was not yet enabled by default on Computerworld‘s numerous copies running under Windows 10 and macOS. (The option to turn it on is behind chrome://flags: Search for Tab Groups, change the setting at the right to Enabled, and relaunch the browser.)
Last month, Google said that the feature – which does what it sounds like it does, organizes tabs by lumping together several, each lump designated by color and name – should begin rolling out to users with Chrome 80 but finish that process with March’s Chrome 81.
When it does appear – or after the browser’s owner manually enables it – users can right-click tabs and choose new menu items to create groups, assign tabs to them or remove tabs from those groups.
Other additions to Chrome 80 were enterprise-centric as Google continued to enhance the browser’s in-business skills, even more important of late as Microsoft introduced the Chromium-based Edge last month as an alternative.
Enterprise IT admins can enable or disable each type of synchronized data, ranging from History and Themes to Open Tabs and Passwords (just as individuals can do manually in Settings > Manage Sync.), using the newly-documented SyncTypesListDisabled group policy.
More management in Chrome 80 allows for a full blockade on employees trying to install external add-ons. Administrators can call on the BlockExternalExtensions policy to stop the practice. (Note: this does not block kiosk apps or extensions installed by policy.)
Chrome’s next upgrade, to version 81, is scheduled to ship on March 17, 2020.