On February 4, 2020, Google will release version 80 of the Chrome™ browser. which includes a change to the default policy for sending and receiving cross-site cookies. The current version of Chrome (version 79) included this blocking, but it was delayed to start blocking after 2 minutes meaning that currently the effects are minimal.
What is changing?
If a website does not define its policy on how cross-site cookies should be treated the browser will start to block them by default.
What does it mean for ClickDimensions?
Products embedded in Microsoft Dynamics domain makes cross-domain web API calls setting and sending cookies on their own domain within the browser. As a result, ClickDimensions (embedded in Dynamics) is setting and receiving cross-site cookies via API calls initiated from the Dynamics domain. Therefore, as of Chrome version 80, the cookies passed in these API calls will be blocked by Chrome and some of our pages will fail, showing the security error.
We rely on cookies for authentication so your Dynamics users can interact with ClickDimensions and not need to log in for each interaction with our cloud-based portion of the solution. Some of these ClickDimensions cloud items also use different subdomains so while they are part of the ClickDimensions organization, pages on those subdomains would also likely fail when trying to load.
What is ClickDimensions doing?
Online Dynamics Environments
We reached out to Microsoft as they are also aware of the Chrome update and the subsequent issue. They are planning to release a fix for Dynamics 365, beginning the weekend of February 1, 2020. This fix will enable Dynamics 365 environments to allow cross-site cookies, so we expect most Dynamics 365 customers will not see issues as a result of the fix.
We also started the steps to getting early access to this Microsoft release so we can verify prior to February 1st that the fix will indeed circumvent the issue. However, the early access to that version is still not finalized.
On-Premise Dynamics Environments
For On-Premise Dynamics users the problem still remains as they will not get this update at the same time as online environments. We did request more information from Microsoft but as stated in their notice on this issue, On-Premise customers who are effected “are encouraged to disable the SameSite behavior in computers their govern by using Group Policy, System Center Configuration Manager."
What we will be doing for pages on our subdomains using cross-site-cookies, is checking and then applying fixes as needed to allow cross-site-cookies. This will override Chrome's new default policy of blocking it.
We will continue working with Microsoft and updating this article as we have more information to share.
- Advanced Workaround
To avoid encountering any cross-site cookie issues, ClickDimensions recommends using a browser other than Chrome. While you may not see any impact if you are on an online version of Dynamics, for our on-premise customers we do recommend sharing this information with your technical team to ensure that you have access to a browser other than Chrome to avoid any issues.
Share this article with your IT team.
If your IT team would like to continue using Chrome, they are welcome to review an optional advanced workaround we obtained from Google, or you can see if one of the resources below will provide you with a simpler workaround. Please keep in mind that ClickDimensions is not able to support or help implement any workarounds mentioned so please work with your organization's technical resource if you need assistance.
- This thread on Google's support site offers some insight into a possible, simpler workaround.
- This page on The Chromium Projects site provides some instruction on leveraging the SameSite cookie's legacy behavior to circumvent the new behavior.
If you would like to continue using Chrome upon its update to version 80, but need to avoid the cross-site cookie issue, you can implement the following workaround we obtained from Google. Please keep in mind that you will need to enlist a technical resource in your organization to accomplish this. ClickDimensions will be unable to provide assistance or support for implementing this.
Steps to follow
The below screenshots and instructions reflect a Windows operating system so if using Mac or Linux, you may see different options or UI. Please refer to Google's documentation in the below link to ensure you get this set up correctly.
- Install and configure Chrome policy templates as described here.
Select your set of instructions based on which operating system your machine uses.
- Once you've followed the steps shown for your operating system, you'll be able to edit the policy. (For Windows instructions this is what you can do once you reach step 3, but for Mac or Linux you will complete all steps shown in order to be able to edit the policy.)
- Locate the option called Revert to legacy SameSite behavior for cookies on these sites. In Windows this will be under the Content Settings folder but Mac or Linux may have a different folder name.
- Enable this setting by double-clicking on it and setting the radio button to Enabled.
- Then you must configure which sites this policy applies to. Click on the Show button and enter all sites you want the workaround to use the old cookie behavior. The example shown below uses an asterisk (*) which is a wildcard and would allow all sites to use the old behavior.
- Apply the policies to your target machine(s). Depending on your network's configuration this may reqquire time for the policy to propagate. Or you may need to propagate the policies manually via administrator tools—running a Command Prompt of gpupdate /force, as shown below, would handle the manual update.
Will my tracking or analytics data be affected?
No. ClickDimensions tracking data will not be affected by this change in Chrome so you should continue to see analytics for your end users/recipients visiting your site, submitting forms, etc. This is because tracking cookies associated with the tracking code are being saved in your organization's domain which is not the same as the cross-site cookie behavior Chrome is restricting.
Will my recipients/end users see any errors from this Chrome restriction?
No. People who receive your emails, visit your site, or interact with other elements you're tracking with ClickDimensions should not see any errors as a result of the Chrome update. The Chrome cookie restictions would only occur while you or others in your organization are logged into Dynamics and using ClickDimensions within it.