Google last week announced that it has started rolling back a cross-site request forgery (CSRF) protection introduced in early February with the release of Chrome 80 in the stable channel.
Initially announced in May 2019, the protection involves Chrome enforcing a new secure-by-default cookie classification system, where cookies that haven’t declared a SameSite value being treated as SameSite=Lax cookies.
As part of the change, only cookies set as SameSite=None; Secure are made available in third-party contexts, but only over secure connections.
Since early February, Google has been gradually rolling out the protection to its users, while keeping an eye on ecosystem impact, and also contacting individual websites and services to ensure cookies are labeled correctly.
Due to the current COVID-19 pandemic, however, the Internet search giant has decided to temporarily roll back the enforcement of SameSite cookie labeling. The rollback started on Friday, April 3.
“While most of the web ecosystem was prepared for this change, we want to ensure stability for websites providing essential services including banking, online groceries, government services and healthcare that facilitate our daily life during this time,” Google says.
The rollback should have no impact on organizations, users or websites.
Google says it will provide notice when the enforcement will resume, something that it estimates will likely happen over the summer.
A few weeks back, the company announced that it decided to skip Chrome 82 entirely, also due to the COVID-19 pandemic. Furthermore, the coronavirus crisis forced Google, Microsoft, and Mozilla to delay plans to remove support for TLS 1.0 and 1.1 from their browsers.
Related: Google Patches High-Risk Chrome Flaws, Halts Upcoming Releases
Related: Chrome 80 Released With 56 Security Fixes
Related: Browser Makers Delay Removal of TLS 1.0 and 1.1 Support

More from Ionut Arghire
- Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
- Nigerian Pleads Guilty in US to Million-Dollar BEC Scheme Role
- City of Dallas Details Ransomware Attack Impact, Costs
- In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- TransUnion Denies Breach After Hacker Publishes Allegedly Stolen Data
Latest News
- Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
- Nigerian Pleads Guilty in US to Million-Dollar BEC Scheme Role
- 900 US Schools Impacted by MOVEit Hack at National Student Clearinghouse
- City of Dallas Details Ransomware Attack Impact, Costs
- In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover
- Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks
- Researchers Discover Attempt to Infect Leading Egyptian Opposition Politician With Predator Spyware
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
