SameSite Cookies & Chrome V80

  • Last updated on February 12, 2020 at 12:32 AM

What is changing?

Google is making security improvements in Chrome: beginning with the release of v80. Chrome will block insecure SameSite cookies set to None by default.

Chrome v80 on 04/02/2020
Changes to default cookie settings on 17/02/2020
Cookies default to SameSite = Lax
Reject insecure cookies when SameSite = None

What is happening?

If you view your browser console you may see warnings like below when on a site with the Elevio Assistant installed:

A cookie associated with a cross-site resource at http://elev.io/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

Behind the scenes, when requests are being made for JavaScript / CSS files that power the Elevio Assistant are loaded which reside on the Elevio domain (.elev.io), any cookies (Google, Intercom, etc) that were also set by third parties who have not correctly set their SameSite cookie policies, automatically get requested with the JavaScript and CSS assets.

We have already made the updates to our cookies required for the coming SameSite changes, you can see the cookies in question below, each of which are from third parties who are yet to update their cookie policies.

The table below shows the creator of each of the cookies.

Cookie PrefixThird Party
_fbpFacebook
_ga, _gidGoogle Analytics
_hjidHotJar
_hp2_*Heap Analytics
_iub_*Iubenda
ajs_*Atlassian Jira Service Desk
intercom-*Intercom


It's important to note that none of the above cookies were sending back private information about activity on your site.

Additionally, you will only see the above if you have visited https://app.elev.io then visited a site with the Assistant installed, meaning the vast majority of your customers will not be effected by this.

This is the specific activity that Chrome v80+ will be blocking, meaning from approximately February 17, 2020 onwards those cookies will no longer automatically be retrieved, which is preferred.

How will I be affected?

The Elevio Assistant itself does not reply on cookies to operate, so will be unaffected by this change. Our engineers have been aware of this change for some time now and tested Elevio in V80 to confirm this is the case.

So just to reiterate, the Elevio Assistant and all other areas of our product suite will continue to work as expected, there’ll be no impact when the changes are rolled out by Chrome.


Was this article helpful?