Chrome SameSite

Cantor, Scott cantor.2 at
Tue Feb 4 14:53:22 EST 2020

> Has the Chrome SameSite been a damp squid? Or maintain vigilance? Our
> communications team went all out alerting on potential impact. They rather
> communicate and be caught out not communicating.

You're not going to see the real impact until the 2 minute rule is gone. Then you're going to see a mess on a whole lot of internal systems. Optimistically most cloud systems will likely have been patched by then, but that's just a guess.

The biggest risks will be true inter-site business processes where actual site switches happen mid-session to allow things like purchase orders to be submitted and the like. People are focusing on SSO and ignoring some actual cases where CSRF is a *feature* of the system and not a bug. But the usual response there will be to document "don't use Chrome" or using managed browser settings on enterprise clients.

-- Scott

More information about the users mailing list