Chromium Blog
News and developments from the open source browser project
Improving privacy and security on the web
Tuesday, May 7, 2019
In 2008, we launched Chrome with the goal of building a speedy, simple, secure and stable web for everyone, everywhere. Ten years later, user experience is still at the core of everything we do.
We’ve received consistent feedback from our users about the importance of transparency, choice and control when it comes to data privacy on the web. That’s why today, at Google I/O, we announced our plans to update how cookies are handled by Chrome.
Cookies and privacy
Cookies play an important part of the web experience today — they are used to keep you logged into email, save shipping addresses on a retail site, and remember your preferences on the websites you’ve visited. And they can also be used to track your browsing activity across the web to serve personalized content and ads.
Unfortunately, to browsers, all of these different types of cookies look the same, which makes it difficult to tell how each cookie is being used — limiting the usefulness of cookie controls. For instance, when you clear all of your cookies, you’re logged out of all sites and your online preferences are reset. Because of this, blunt solutions that block all cookies can significantly degrade the simple web experience that you know today, while heuristic-based approaches—where the browser guesses at a cookie's purpose—make the web unpredictable for developers.
Improving cookie controls in Chrome
We announced at I/O that we will be updating Chrome to provide users with more transparency about how sites are using cookies, as well as simpler controls for cross-site cookies. We will preview these new features later this year.
We are making a number of upcoming changes to Chrome to enable these features, starting with modifying how cookies work so that developers need to explicitly specify which cookies are allowed to work across websites — and could be used to track users. The mechanism we use builds on the web's SameSite cookie attribute, and you can find the technical details on
web.dev
.
In the coming months, Chrome will require developers to use this mechanism to access their cookies across sites. This change will enable users to clear all such cookies while leaving single domain cookies unaffected, preserving user logins and settings. It will also enable browsers to provide clear information about which sites are setting these cookies, so users can make informed choices about how their data is used.
This change also has a significant security benefit for users, protecting cookies from cross-site injection and data disclosure attacks like Spectre and CSRF by default. We also announced our plan to eventually limit cross-site cookies to HTTPS connections, providing additional important privacy protections for our users.
Developers can start to test their sites and see how these changes will affect behavior in the latest developer build of Chrome.
Protections against fingerprinting
Making changes to how the browser treats cookies requires us to consider the broader web ecosystem. Blunt approaches to cookie blocking have been tried, and in response we have seen some user-tracking efforts move underground, employing harder-to-detect methods that subvert cookie controls. These methods, known as ‘fingerprinting,’ rely on various techniques to examine what makes a given user’s browser unique.
Because fingerprinting is neither transparent nor under the user’s control, it results in tracking that doesn’t respect user choice. This is why Chrome plans to more aggressively restrict fingerprinting across the web. One way in which we’ll be doing this is reducing the ways in which browsers can be passively fingerprinted, so that we can detect and intervene against active fingerprinting efforts as they happen.
Continuing to build a better web
We believe these changes will help improve user privacy and security on the web — but we know that it will take time. We also recognize that both cross-site cookies and fingerprinting have uses other than tracking. We’re committed to working with the web ecosystem to understand how Chrome can continue to support these positive use cases and to build a better web.
We launched Chrome ten years ago with the objective of building a better web and improving the user experience. While our browser has evolved since 2008, our objective remains the same.
Ben Galbraith - Director, Chrome Product Management
Justin Schuh - Director, Chrome Engineering
Labels
$200K
1
10th birthday
4
abusive ads
1
abusive notifications
1
accessibility
2
ad blockers
1
ad blocking
2
advanced capabilities
1
android
1
anti abuse
1
anti-deception
1
background periodic sync
1
badging
1
benchmarks
1
beta
24
better ads standards
1
billing
1
birthday
4
blink
2
browser
2
browser interoperability
1
bundles
1
capabilities
6
capable web
1
cds
1
cds18
2
cds2018
1
chrome
30
chrome 81
1
chrome 83
2
chrome 84
2
chrome ads
1
chrome apps
4
chrome dev summit
1
chrome dev summit 2018
1
chrome dev summit 2019
1
chrome developer
1
Chrome Developer Center
1
chrome developer summit
1
chrome devtools
1
Chrome extension
1
Chrome Frame
1
Chrome lite
1
Chrome on Android
1
chrome privacy
3
chrome releases
1
chrome security
4
chrome web store
31
chromedevtools
1
chromeframe
3
chromeos
3
chromium
5
cloud print
1
coalition
1
coalition for better ads
1
contact picker
1
content indexing
1
cookies
1
core web vitals
1
csrf
1
css
1
cumulative layout shift
1
dart
8
dashboard
1
Data Saver
3
Data saver desktop extension
1
day 2
1
deceptive installation
1
declarative net request api
1
design
2
developer dashboard
1
Developer Program Policy
2
devtools
13
digital event
1
discoverability
1
DNS-over-HTTPS
3
DoH
3
emscriptem
1
enterprise
1
extensions
27
faster web
1
features
1
feedback
2
field data
1
first input delay
1
form controls
1
frameworks
1
fugu
2
fund
1
funding
1
gdd
1
google earth
1
google event
1
google io 2019
1
google web developer
1
googlechrome
12
harmful ads
1
html5
11
iframes
1
images
1
incognito
1
intent to explain
1
ios
1
ios Chrome
1
javascript
5
lab data
1
largest contentful paint
1
lazy-loading
1
lighthouse
2
linux
2
Lite Mode
2
Lite pages
1
loading interventions
1
loading optimizations
1
mac
1
manifest v3
1
metrics
2
microsoft edge
1
mobile
2
na
1
native client
8
native file system
1
New Features
5
notifications
1
octane
1
open web
4
origin trials
2
pagespeed insights
1
pagespeedinsights
1
payment handler
1
payment request
1
payments
1
performance
3
performance tools
1
permission UI
1
permissions
1
play store
1
portals
3
privacy
1
privacy sandbox
1
progressive web apps
2
Project Strobe
1
protection
1
pwa
1
quieter permissions
1
releases
3
removals
1
rlz
1
safe browsing
1
Secure DNS
1
security
34
site isolation
1
slow loading
1
sms receiver
1
spam policy
1
spdy
2
spectre
1
speed
2
ssl
2
store listing
1
strobe
1
subscription pages
1
suspicious site reporter extension
1
tools
1
transparency
1
trusted web activities
1
twa
2
user data policy
1
v8
6
video
2
wasm
1
web
1
web apps
1
web assembly
1
web developers
1
web intents
1
web packaging
1
web payments
1
web platform
1
web request api
1
web vitals
1
web.dev
1
web.dev live
1
webapi
1
webassembly
1
webaudio
3
webgl
7
webkit
5
WebM
1
webmaster
1
webp
5
webrtc
6
websockets
5
webtiming
1
writable-files
1
yerba beuna center for the arts
1
Archive
2020
Jun
May
Apr
Mar
Feb
Jan
2019
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2018
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2017
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2016
Dec
Nov
Oct
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2010
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2009
Dec
Nov
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2008
Dec
Nov
Oct
Sep
Feed
Follow @ChromiumDev
Give us feedback in our
Product Forums
.
