Chrome 80 enforces SameSite-by-default cookie handling

Executive briefing: Chrome 80 began enforcing the SameSite-by-default model, treating cookies without a SameSite attribute as Lax and requiring Secure on SameSite=None cookies. The change alters how authentication, CSRF defenses, and third-party embeds behave and demands explicit cookie labeling.

Why it matters

• Cross-site sign-in, embedded widgets, and legacy CSRF protections can break unless cookies are set with the correct SameSite value.
• SameSite=None now requires Secure and HTTPS, accelerating the phase-out of third-party cookies on insecure origins.
• Server libraries and reverse proxies may need upgrades to support the new attribute parsing and to avoid dropping the None value for older user agents.

Operator actions

• Inventory application cookies and explicitly set SameSite values (None, Lax, or Strict) that match intended use.
• Mark all SameSite=None cookies as Secure and serve them over HTTPS; update load balancer or CDN configurations as needed.
• Test federated login flows, embedded iframes, and payment integrations in Chrome 80+ to verify session continuity.
• Patch application frameworks or libraries to versions that correctly emit the None attribute and avoid legacy-stripping behavior.

Key sources

• Chromium Blog: SameSite cookie changes in February 2020 (explains enforcement timeline and developer guidance).
• Chrome Releases: Stable Channel Update for Desktop (announces Chrome 80 stable rollout on 4 February 2020).