Browsers seem to be tripping over themselves in a race to provide a more private experience, except for perhaps the greatest offender; Google’s Chrome.
In September, Mozilla’s Firefox rolled out Enhanced Tracking Protection. Soon after, Apple’s Safari rolled out Intelligent Tracking Prevention. Trade-marked names aside, what both of these features do is limit the ability of cookies to collect data on users. More specifically, cross-site cookies. That means cookies will now only be active on their own origin website and not on other websites.
Mozilla’s approach additionally blocks cryptomining and “fingerprinting scripts”, which identify users by their device configuration. Apple’s approach on the other hand is unique in that it deletes cookies altogether after they’re inactive for a period of time. Meaning if you, say, stop using Facebook for a while, their cookies which are now inactive when you’re not using Facebook, Safari will automatically delete them.
You might have noticed that Google’s Chrome, which holds around 60% of the market share, hasn’t been mentioned so far. To make matters worse for Google, Microsoft finally launched the Chromium-based version of their Edge browser, which also includes, more humbly-named, “Tracking Prevention.”
In response, Google published a blog post on January 14th which was little more than PR-fluff, basically referring to their August blog post on the subject and saying “We were right, we received feedback and we’re moving in the right direction.” Clearly a desperate attempt to steal some of Edge’s attention.
The major takeaway from Google’s “we too” blog post is that they’ll make the same changes that every other browser has already implemented… within two years. They argue that outright blocking tracking and fingerprinting will have unintended consequences, probably in the form of analytics and ad-revenue which is their bread and butter, and that they will instead “phase out support for third-party cookies.”
Their first step is to enforce the SameSite:Strict flag on cookies that don’t have it specified. For cookies with SameSite:None or SameSite:Lax, they will only be accessible over HTTPS. This change is minimal compared to what competitors are doing, and will not take effect until February.