Chrome SameSite Changes and Account Engagement

To improve user security, Chrome is moving to a secure-by-default model that has the potential to stop third-party cookies from functioning. Starting on July 14th, 2020, all third-party cookies must have SameSite attributes set and come from a site with HTTPS for the browser to transmit the data to Account Engagement.

This change can impact your ability to track prospects with Account Engagement. Account Engagement is working to update third-party cookies with the SameSite attributes so that they continue to function after the change. However, if the sites you track with Account Engagement do not use HTTPS you must convert them to HTTPS to keep domain tracking operating as expected.

What Are First-Party and Third-Party Cookies?

A first-party cookie is issued by the site the user visits, and the domain attribute matches the domain in the browser’s address bar. First-party cookies are used by the website owner for things like storing your page preferences and collecting site analytics data.

A third-party cookie is created when the site sends a request to the third party’s servers. The servers return the requested file and the cookie is assigned to the visitor. The kind of file that’s returned depends on the use case—commonly it’s an ad or a tracking pixel. A third-party cookie’s domain attribute does not match the domain in your browser’s address bar. Third-party cookies are typically used to show content from different websites and web tracking.

Why Does Account Engagement Use Third-Party Cookies?

Account Engagement issues a third-party cookie to enable tracking across domains. For example, you maintain two domains, SiteA.com & SiteB.com. When a visitor comes to SiteA.com, they are issued an Account Engagement cookie with a unique visitor ID. When they visit SiteB.com, the Account Engagement cookie lets Account Engagement know it is the same visitor from SiteA.com, and Account Engagement connects the activity to the same prospect.

Do I Need to Take Action?

If your Account Engagement tracker domains are SSL-enabled and you are tracking pages served over HTTPS, you don’t need to do anything.

If that’s not the case or you don’t know, work with your IT or website admin to make sure that the domains you use with Account Engagement follow these guidelines.

• The pages with Account Engagement tracking code are served over HTTPS.
• Your primary Account Engagement tracker domain is SSL-enabled, and defaults to HTTPS. See Enable SSL to Use an HTTPS Tracker Domain and Default a Tracker Domain to HTTPS for instructions.

As a best practice, we recommend that your tracker domain is a subdomain of your main website.

How Can I Check Whether I Need to Take Action?

Ensure your tracker domains in Account Engagement are SSL-Enabled and served over HTTPS

Verify configuration in Account Engagement

1. In Account Engagement Classic, navigate to Admin → Domain Management. In Account Engagement Lightning App, navigate to Account Engagement Settings → Domain Management. Refer to the “Tracker Domains” table.
2. Ensure that your tracker domain has “Enabled” under “SSL Status”.
3. Ensure that your tracker domain has “HTTPS” under “HTTPS Status”.

Verify via loading an asset served on one of your tracker domains

If you use a regular Chrome window, then you may see false warnings related to Account Engagement application cookies. Instead, test these settings using an Incognito window. The pi.pardot.com and go.pardot.com SameSite warnings don't cause problems with prospect tracking and can be ignored. These warnings are the result of session cookies, which are unrelated to tracking. 

1. In Account Engagement, navigate to an asset that is configured to serve on your tracker domain (in this example, navigate to a landing page via Marketing → Landing Pages).
2. Open the landing page by clicking on the “Vanity URL” link in the Landing Page table (ie: “https://go.example.com/l/4/2020-01-06/c2”) .
3. Once the landing page opens, check the browser for an indication of whether the page loaded over HTTP (insecure) or HTTPS (secure).
   • In Chrome, you can see this information by clicking on the lock icon in the address bar of the browser.
   • If everything is set up correctly, you can load the landing page and see the “Connection is secure” message when you click on the lock icon in the address bar of Chrome. 
   • If there is any misconfiguration, you will either be unable to load the landing page, or you will see a “Not Secure” message where the lock icon would normally be. 

Ensure that pages with Account Engagement tracking code are served over HTTPS

In this example, the page at “https://www.example.com/track.html” contains the Account Engagement tracking code from a campaign in Account Engagement. Using the same technique of inspecting the lock icon in the address bar in Chrome, we can see that the page is served over HTTPS, and is ready for SameSite.

(Recommended) Ensure your tracker domains are subdomains of the same domain as your main website

In this example, the main website for “Example Company” is “https://www.example.com”. The tracker domains are subdomains of “.example.com” (go.example.com and go2.example.com)

1. In Account Engagement, navigate to Admin → Domain Management.
2. See that your tracker domains are subdomains of the same domain as your main website.