Response to Chrome 80 SameSite attribute cookie update

The Chrome version 80 "SameSite" update is part of Google's ongoing initiative to improve privacy and security across the web.

Scheduled for February 2020, the update changes the behavior of browser cookies in cross-site scenarios. It is important that developers who manage cookies assess how the change impacts the functionality of their web assets. 

This article provides a high level explanation of the update, as well as how it might relate to your use of Vidyard. However, please make sure to review Chromium's blog post for guidance and complete details.

What is the Chrome 80 SameSite update?

SameSite is an attribute that developers add to browser cookies in order to state the context in which the cookie is being used (i.e. is the cookie being set on the same domain as the current site or on a different domain entirely?).

This is especially important for websites or applications that use external services with cookies to personalize the user experience, remember visitors preferences, or measure audience engagement (e.g. advertising tools, social sharing, and other third-party widgets). 

Historically, if no attribute is stated, the behavior of the cookie defaults to SameSite=None. SameSite=None indicates that the cookie is being sent across different domains (i.e. in a third-party context).

While SameSite has always been a supported attribute, it has not been widely adopted by developers. Without consistent use of the attribute on webpages, cookies that have defaulted to SameSite=None communicate data in a third-party context and therefore are at greater risk of cross-site request forgery (CSRF). 

So, to improve browser security and privacy across the board, Chrome 80 makes the following changes:

1. If no SameSite attribute is set, the default behavior will fallback to the more secure SameSite=Lax. 
2. Developers need to explicitly state the context in which a cookie is being sent: the Strict and Lax attributes for first-party contexts, the None attribute for third-party contexts.
3. If cookies are sent in a third-party context, the additional attribute Secure needs to be added to ensure data is communicated across sites using HTTPS.

How does the Chrome 80 update affect Vidyard?

Viewer tracking and analytics

Vidyard's player embed code leverages the local and session storage in a browser (rather than cookies) to associate video analytics with a viewer. As a result, any viewer tracking, identification, and collection of video analytics are unaffected by the Chrome update.

Integrations with marketing automation platforms (MAPs)

Vidyard maintains a number of data integrations with several MAPs, including Marketo, HubSpot, and Oracle Eloqua, and Pardot.

In order to identify and pass data about viewers to contact records in your MAP, the player embed code relies on identifiers from the cookie set by your MAP's tracking script.

To ensure uninterrupted flow of data to your marketing automation tool, ensure cookies set by your MAP's tracking script conform to the new SameSite browser rules required by Chrome. Either:

1. Ensure that your MAP tracking script sets cookies on the same domain as the page where the Vidyard player is embedded (first-party context)
2. Update the settings for any existing MAP cookies that are being sent from another domain (third-party context) to include SameSite=None; Secure.

What action do I need to take? 

As the Chrome update primarily impacts third-party software that Vidyard interacts with (marketing automation tools), it is your responsibility to ensure that cookies set by your MAPs tracking script conforms to the new SameSite rules from Google. 

When in doubt, you can test Vidyard's integration using your MAPs tracking script on a page with a Vidyard player, ideally outside of your production environment.

• Check for console warnings in the browser's developer tools (Chrome 77+). Pages that contain cross-site cookies without the required new settings will display a message that identifies the cross-site resource being used.
• Chromium's blog post also explains how to test the effect of the new Chrome behavior on your site or cookies you manage by navigating to chrome://flags and enabling the “SameSite by default cookies”

Where can I find more information?

• Google's Chromium blog post contains the full details of the version 80 SameSite update
• For the timeline of the Chrome 80 release, see Google's Updates page.
• The SameSite Cookies Explained article on web.dev is great resource for developers and non-developers alike

If you have additional questions or need assist, please open a case with Vidyard Support.