Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Google Rolls Back Recently Introduced Chrome CSRF Protection

Google last week announced that it has started rolling back a cross-site request forgery (CSRF) protection introduced in early February with the release of Chrome 80 in the stable channel.

Google last week announced that it has started rolling back a cross-site request forgery (CSRF) protection introduced in early February with the release of Chrome 80 in the stable channel.

Initially announced in May 2019, the protection involves Chrome enforcing a new secure-by-default cookie classification system, where cookies that haven’t declared a SameSite value being treated as SameSite=Lax cookies.

As part of the change, only cookies set as SameSite=None; Secure are made available in third-party contexts, but only over secure connections.

Since early February, Google has been gradually rolling out the protection to its users, while keeping an eye on ecosystem impact, and also contacting individual websites and services to ensure cookies are labeled correctly.

Due to the current COVID-19 pandemic, however, the Internet search giant has decided to temporarily roll back the enforcement of SameSite cookie labeling. The rollback started on Friday, April 3.

“While most of the web ecosystem was prepared for this change, we want to ensure stability for websites providing essential services including banking, online groceries, government services and healthcare that facilitate our daily life during this time,” Google says.

The rollback should have no impact on organizations, users or websites.

Advertisement. Scroll to continue reading.

Google says it will provide notice when the enforcement will resume, something that it estimates will likely happen over the summer.

A few weeks back, the company announced that it decided to skip Chrome 82 entirely, also due to the COVID-19 pandemic. Furthermore, the coronavirus crisis forced Google, Microsoft, and Mozilla to delay plans to remove support for TLS 1.0 and 1.1 from their browsers.

Related: Google Patches High-Risk Chrome Flaws, Halts Upcoming Releases

Related: Chrome 80 Released With 56 Security Fixes

Related: Browser Makers Delay Removal of TLS 1.0 and 1.1 Support

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.

Register

Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.