Comment by Cthulhu_
6 years ago
Is it because Google's webapps will have their own a/b tests which use experimental features only available in Chrome perhaps?
I mean personally I think they should do client-side feature detection and be back to being standards compliant and not creepy. The only reason why I'd consider such a flag is because they optimize the payload server-side to return a certain a/b test, but even with that they could do the default version first, do feature detection, and then set a session cookie for that domain only that loads the a/b test.
My other Thought was that they test a feature that is implemented across Google's properties, e.g. something having to do with their account management.
Isn't this what cookies are for?
Cross-site cookies are soon getting blocked by Chrome starting Chrome 80 if I'm right (whereas this header isn't)
So they build a personal back door to a feature that they've chosen to remove for everyone else? Because of it's potential for abuse, yet the very same company is somehow abusing it in a way more sinister way. Antitrust can't come soon enough.
Chrome will only block cross-site cookies that don't use HTTPS and the SameSite=Lax flag. It's easy for trackers to user HTTPS and SameSite=Lax. This Chrome change is mostly intended to protect against Cross Site Request Forgery (CSRF) attacks, not to block trackers.
I can think of a hundreds reasons why they do this. It doesn't make it right in any of those.