Hello, welcome to the Friday, January 31st, 2020 edition of the Sands and the Storm Center's Stormcast. My name is Johannes Ulrich and I'm recording from Augusta, Georgia.

I want to start today with a little bit longer segment talking about some upcoming changes to Chrome. Chrome is going to release version 80 next week

on February 4th and it comes with some changes to the cookie policies that I think are worth

mentioning and some of the details really haven't been discussed well,

I think some of the impact these changes may have on applications.

Until recently, so of the way cookies worked essentially was that a site would set a cookie

and whenever a request for a browser was sent to that site, the browser

would include the cookie no matter what triggered the particular request.

This of course led to heavy abuse.

It led to some user tracking.

It also was some of the reason why cross-site request forging became such a

big deal. When a malicious site triggers a request to a website to which the user was already

logged in to, then the browse of course would send the session cookie and with that sort of malicious requests

could be triggered if the site didn't implement additional steps to prevent cross-site

request forgery. So to prevent some of these issues a new cookie parameter was introduced same site.

The same site parameter essentially limits what

requests that are triggered by sites that did not set the particular cookie will actually

send the cookie along. So if I'm logging into a website, the website sets a session cookie. I'm

going to another website without logging into a website, the website sets a session cookie, I'm going to another

website without logging out, and that other website will now trick a request by submitting

a forum, by loading an image or whatever, then I can limit whether or not the cookie is being

sent along with that request.

...