Response to Chrome 80 SameSite attribute cookie update
The Chrome version 80 "SameSite" update is part of Google's ongoing initiative to improve privacy and security across the web.
Scheduled for February 2020, the update changes the behavior of browser cookies in cross-site scenarios. It is important that developers who manage cookies assess how the change impacts the functionality of their web assets.
This article provides a high level explanation of the update, as well as how it might relate to your use of Vidyard. However, please make sure to review Chromium's blog post for guidance and complete details.
What is the Chrome 80 SameSite update?
SameSite
is an attribute that developers add to browser cookies in order to state the context in which the cookie is being used (i.e. is the cookie being set on the same domain as the current site or on a different domain entirely?).
This is especially important for websites or applications that use external services with cookies to personalize the user experience, remember visitors preferences, or measure audience engagement (e.g. advertising tools, social sharing, and other third-party widgets).
Historically, if no attribute is stated, the behavior of the cookie defaults to SameSite=None
. SameSite=None
indicates that the cookie is being sent across different domains (i.e. in a third-party context).
While SameSite
has always been a supported attribute, it has not been widely adopted by developers. Without consistent use of the attribute on webpages, cookies that have defaulted to SameSite=None
communicate data in a third-party context and therefore are at greater risk of cross-site request forgery (CSRF).
So, to improve browser security and privacy across the board, Chrome 80 makes the following changes:
- If no
SameSite
attribute is set, the default behavior will fallback to the more secureSameSite=Lax
. - Developers need to explicitly state the context in which a cookie is being sent: the
Strict
andLax
attributes for first-party contexts, theNone
attribute for third-party contexts. - If cookies are sent in a third-party context, the additional attribute
Secure
needs to be added to ensure data is communicated across sites using HTTPS.
How does the Chrome 80 update affect Vidyard?
Viewer tracking and analytics
Vidyard's player embed code leverages the local and session storage in a browser (rather than cookies) to associate video analytics with a viewer. As a result, any viewer tracking, identification, and collection of video analytics are unaffected by the Chrome update.
Integrations with marketing automation platforms (MAPs)
Vidyard maintains a number of data integrations with several MAPs, including Marketo, HubSpot, and Oracle Eloqua, and Pardot.
In order to identify and pass data about viewers to contact records in your MAP, the player embed code relies on identifiers from the cookie set by your MAP's tracking script.
To ensure uninterrupted flow of data to your marketing automation tool, ensure cookies set by your MAP's tracking script conform to the new SameSite
browser rules required by Chrome. Either:
- Ensure that your MAP tracking script sets cookies on the same domain as the page where the Vidyard player is embedded (first-party context)
- Update the settings for any existing MAP cookies that are being sent from another domain (third-party context) to include
SameSite=None; Secure
.
What action do I need to take?
As the Chrome update primarily impacts third-party software that Vidyard interacts with (marketing automation tools), it is your responsibility to ensure that cookies set by your MAPs tracking script conforms to the new SameSite
rules from Google.
When in doubt, you can test Vidyard's integration using your MAPs tracking script on a page with a Vidyard player, ideally outside of your production environment.
- Check for console warnings in the browser's developer tools (Chrome 77+). Pages that contain cross-site cookies without the required new settings will display a message that identifies the cross-site resource being used.
- Chromium's blog post also explains how to test the effect of the new Chrome behavior on your site or cookies you manage by navigating to
chrome://flags
and enabling the “SameSite by default cookies”
Where can I find more information?
- Google's Chromium blog post contains the full details of the version 80
SameSite
update - For the timeline of the Chrome 80 release, see Google's Updates page.
- The SameSite Cookies Explained article on web.dev is great resource for developers and non-developers alike
If you have additional questions or need assist, please open a case with Vidyard Support.