Browser changes improving security and privacy

Major web browsers, including Google’s Chrome, Microsoft’s Edge and Mozilla’s Firefox will change their default settings affecting how they share users’ data between different domains from late February 2020.

A series of cookies, one is different from the others.
Caption: Upcoming browser versions will handle third-party cookies differently.

Cookies often track user data and this change reflects evolving concerns around privacy. These new default settings reduce the amount of user data transferred between online services without user knowledge or consent.

It is difficult to anticipate all possible impacts of this change, given the wide range of websites and technologies used to access and deliver government services online.

We aim to give government digital teams an overview of the issues that may affect their users and suggest some approaches to mitigate them.

Changes for users

The Australian Cyber Security Centre (ACSC) recommends paying particular attention to patching and update software that interacts with the internet whenever possible — including web browsers.

However, keeping your software up-to-date may also change how government websites behave, especially when domains interact, for example agency.gov.au and socialmediasite.com. After updating their browsers, users may find:

  • government single sign-on services require them to sign-out and sign-in again
  • social media content embedded in government websites require an additional sign-in before interactions can occur
  • social media 'share' buttons embedded in government websites may stop working altogether

Maintaining your users’ experience

Some things may change for government organisations delivering digital services, particularly if your websites use third-party cookies.

If you manage a digital service using a single sign-in system, or rely on content provided by third-party services, you should investigate whether your users will be affected by this change.

Identifying affected sites

Developers working on a digital service can use browsers’ debugging tools to identify potentially affected sites or functionality. For example, below is a warning found in the browser console for Google Chrome on a site using third-party cookies:

A cookie associated with a cross-site resource at <URL> was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.

Developers can test their fixes on target browsers using their built-in debugging tools to disable ‘samesite by default cookies’.

Identifying affected users

Different browser manufacturers are releasing these changes at different times, and not all users will be using the same browser — or the same version of a browser — when accessing your website. Government digital teams could use their web analytics reports to observe how these browser releases will affect users if they do not deploy fixes.

Caption: The Google Analytics 360 Technology Report shows the top 10 browsers and browser versions used by visitors to dta.gov.au for the last 90 days.

Next Steps

Browser manufacturers are promoting the implementation of this new default as a privacy-preserving feature. Overall, we expect these changes to improve users’ online experiences. However, developers will need to closely investigate whether they need to implement technical fixes to reduce or remove disruptions to the delivery of online government services.

Further reading