Google’s next big step in its two-year march to remove support for third-party cookies on its Chrome browser went into effect last Monday and brought with it concerns over a new capability, moves by Microsoft to react to the changes and continued uncertainty brought about by the slow pace of the rollout.
The effort to overhaul how same-site cookies are handled by the Chrome browser was initially revealed last May, following similar moves by Apple and its Safari browser in April 2017 and Mozilla/Firefox that November.
The newest version of Google’s browser, Chrome 80, includes a capability called “ScrollToTextFragment,” which enables Google to index websites and share links down to a single word of text and that word’s position on the webpage.
Brave Software senior privacy researcher Peter Snyder was one of the first to point out ScrollToTextFragment, saying in a tweet, “Imposing privacy and security leaks to existing sites (many of which will never be updated) really should be a ‘don’t break the web,’ never cross, redline. This spec does that.”
Snyder’s company is behind privacy-focused browser Brave.
Google provided an example of how the capability can be used, saying that adding “https://en.wikipedia.org/wiki/Cat#:~:text=” before “On islands, birds can contribute as much as 60% of a cat’s diet” loads the Wikipedia page for “cats,” highlights the specific text and scrolls directly to it.
However, Snyder brought up a potential way ScrollToTextFragment could be misused, writing, “Consider a situation where I can view DNS (domain name system) traffic (e.g., company network), and I send a link to the company health portal, with ‘#:~:text=cancer.’ On certain page layouts, I might be able to tell if the employee has cancer by looking for lower-on-the-page resources being requested.”
Another browser rival chimed in, as well.
David Baron, principal engineer at Firefox parent Mozilla, said in a comment on GitHub prior to the release of Chrome 80, “My high-level opinion here is that this a really valuable feature, but it might also be one where all of the possible solutions have major issues/problems. So, I think the question we should think about is how the problems of the solution chosen here compare to the problems of other options, and how they compare to the value of the feature.”
Google Chromium engineer David Bokan countered in the same GitHub thread that Google is working on an opt-in/opt-out solution, but ScrollToTextFragment was going live without one, adding, “We discussed this and other issues with our security team and, to summarize, we understand the issue but disagree on the severity.”
Chrome is currently the only browser that supports ScrollToTextFragment, according to Matt Southern of Search Engine Journal.
On the compatibility front, Microsoft published a lengthy summary of steps that may need to be taken by users of some of its cloud services and other products based on open standards.
Microsoft said in its post, “Although the change is intended to discourage malicious cookie tracking and protect web applications, it’s also expected to affect many apps and services that are based on open standards. This includes Microsoft cloud services. All Microsoft cloud services are updated to comply with the new requirements made by Chrome, but some other applications may still be affected.”
The company provided specific instructions on updates that it recommended be installed by customers using versions of Windows Server, Exchange Server, SharePoint Server, SharePoint Foundation and Skype for Business Server.
And with the slow pace of the rollout of changes to how Chrome handles same-site cookies, further issues may surface as more of the browser’s users are updated.
Google software engineer Michael Kleber defended the rollout’s pace in a Jan. 31 tweet, saying, “Many rollouts, and all dangerous ones, are controlled by an experiment fraction that we change over time.”
Google had not provided any updates on the sample size of the rollout of changes to same-site cookies, but Microsoft principal program manager Eric Lawrence said in a tweet last week that it appeared that the figure was around 1% of the total.
There was also no update available on the target date for the update to be pushed to 100% of Chrome users.