Browser changes improving security and privacy
Major web browsers, including Google’s Chrome, Microsoft’s Edge and Mozilla’s Firefox will change their default settings affecting how they share users’ data between different domains from late February 2020.
Cookies often track user data and this change reflects evolving concerns around privacy. These new default settings reduce the amount of user data transferred between online services without user knowledge or consent.
It is difficult to anticipate all possible impacts of this change, given the wide range of websites and technologies used to access and deliver government services online.
We aim to give government digital teams an overview of the issues that may affect their users and suggest some approaches to mitigate them.
Changes for users
The Australian Cyber Security Centre (ACSC) recommends paying particular attention to patching and update software that interacts with the internet whenever possible — including web browsers.
However, keeping your software up-to-date may also change how government websites behave, especially when domains interact, for example agency.gov.au and socialmediasite.com. After updating their browsers, users may find:
- government single sign-on services require them to sign-out and sign-in again
- social media content embedded in government websites require an additional sign-in before interactions can occur
- social media 'share' buttons embedded in government websites may stop working altogether
Maintaining your users’ experience
Some things may change for government organisations delivering digital services, particularly if your websites use third-party cookies.
If you manage a digital service using a single sign-in system, or rely on content provided by third-party services, you should investigate whether your users will be affected by this change.
Identifying affected sites
Developers working on a digital service can use browsers’ debugging tools to identify potentially affected sites or functionality. For example, below is a warning found in the browser console for Google Chrome on a site using third-party cookies:
A cookie associated with a cross-site resource at <URL> was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.
Developers can test their fixes on target browsers using their built-in debugging tools to disable ‘samesite by default cookies’.
Identifying affected users
Different browser manufacturers are releasing these changes at different times, and not all users will be using the same browser — or the same version of a browser — when accessing your website. Government digital teams could use their web analytics reports to observe how these browser releases will affect users if they do not deploy fixes.
Browser manufacturers are promoting the implementation of this new default as a privacy-preserving feature. Overall, we expect these changes to improve users’ online experiences. However, developers will need to closely investigate whether they need to implement technical fixes to reduce or remove disruptions to the delivery of online government services.
- Webkit, Tracking Prevention Policy
- Chromium blog, Developers: Get Ready for New SameSite=None; Secure Cookie Settings
- Microsoft, Work with SameSite cookies in ASP.NET
- Jardine Software, SameSite by Default in 2020?
- Apple, Prevent cross-site tracking in Safari on Mac
- Mozilla, Firefox blocking third party tracking cookies and cryptomining by default
Gordon is acting Chief Technology Officer at the DTA