Announcements

2020/1/30

Dear Valued Customer:

It has recently come to our attention that the release of the Google Chrome web browser build 80, scheduled for February 4th, 2020, features a change in how cookies are handled (https://www.chromestatus.com/features/schedule). The change promises new features intended to make your browser faster and more secure, including a new approach to cookies. The SameSite update will require website owners to explicitly state/label the third-party cookies that can be used on other sites. Cookies without the proper labeling won’t work in the new Chrome browser.

What is the change?

Cookies that do not include the SameSite=None and Secure labels won’t be accessible by third parties, such as ad tech companies, in Chrome version 80 and beyond. The Secure label means cookies need to be set and read via HTTPS connections.

Currently, the Chrome SameSite cookie default is: None, which allows third-party cookies to track users across sites. Starting February 4th, cookies will default into SameSite=Lax, which means cookies are only set when the domain in the URL of the browser matches the domain of the cookie — a first-party cookie.

Any cookie with the SameSite=None label must also have a secure flag, meaning it will only be created and sent through requests made over HTTPS. Meanwhile, the SameSite=Strict designation restricts cross-site sharing altogether, even between different domains that are owned by the same publisher.

What do you need to do?

We would like our clients to test the following 3rd party cookie scenarios to ensure proper functioning of the consumer ecommerce experience.

  • Single sign-on (SSO) Clients having SSO integration using cookies will need to validate that the functionality works as expected with the new browser version. If the integration does not work, our recommendation is to set up the “SameSite” cookie attribute with a value of “None” as outlined in the document mentioned above (chrome://flags/#same-site-by-default-cookies).

  • Iframe Integration Clients having an Iframe integration with a Digital River hosted store will need to validate that functionality works as expected with the new browser version. Please contact Digital River if the functionality is broken.

  • Cross Origin calls referencing content from Digital River-hosted store Clients having Cross Origin calls (AJAX, JSONP, etc.) referencing content from Digital River hosted store will need to validate that functionality works as expected with the new browser version. Please contact Digital River if the functionality is broken.

  • Migrate to HTTPS secure pages, if you haven’t done so already.

Need additional information?

If you have additional questions or encounter any issues please feel free to contact your Digital River Operations Representative. You can also read more about this change at SameSite cookies explained.