Chrome February 2020 Policy Updates: Xandr Customer and Partner Guide
This guide explains the recent changes to Google's cookie policies and how they affect Xandr ad technology. It also recommends actions publishers, buyers, bidders, and partners may need to implement in response.
Publishers who have not implemented these changes on Chrome browsers may experience drop-offs in revenue or delivery. Please read this guide carefully to continue effectively monetizing your inventory.
Overview of Changes
Chrome is making the following changes:
Google Chrome has announced a "secure-by-default" model for cookies, as part of efforts to improve privacy and security across the web. This change means Chrome will stop sending third-party cookies in cross-site requests unless the cookies are:
- marked as Secure
specifically flagged as being used for cross-site tracking by setting SameSite=None. This setting is important for Xandr cookies because they use a different domain from the publisher domain.
Xandr is making the following changes:
Xandr is flagging all our cookies as
SameSite=None and marking them as
Secure in January 2020. We are also implementing an automatic http ----> https redirect to minimize the level of cookieless traffic.
Actions for Sellers, Buyers, Bidders, Partners, and Mobile SDK Users
If you need more help after reading this guide, please log a request on the Xandr Support Portal at help.xandr.com.
Sellers must ensure that ad requests and cookie syncs with Xandr are secure (https) in order for Xandr to receive cookie information. If sellers make non-secure ad requests or cookie syncs, Chrome will not send and Xandr will not receive the cookie, negatively impacting monetization.
We recommend ensuring that:
- All sites are secure
Ad requests are sent over secure https protocols
Bidders and data providers will continue to receive ad requests in http. This is expected, and these partners do not need to take any action concerning ad requests.
- Cookie syncs are sent over secure https protocols
Pixels such as conversion and segment pixels are sent over secure https protocols
Xandr will redirect http calls to https, but partners should check and update their pixel implementations as required to prevent latency and and impact monetization.
- SameSite Cookies Explained: https://web.dev/samesite-cookies-explained/
- Chrome Enforcement and How to Prepare: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
- Google Samesite Updates: https://www.chromium.org/updates/same-site
Detailed Instructions for Compliance
Step 1: Make Sure Your Site Is Secure
Load your site in Chrome, and check next to the URL for an indication of security status as shown below.
- Info or Not secure
- Not secure or Dangerous
This step verifies that site URLs are secure: it does not affect ad requests on the page. Note that OpenRTB doesn't require site URLs to be secure, provided that
"secure" : 1 is sent in bid requests.
Step 2: Make Sure Your Ad Requests Are Secure
The most reliable way to confirm if the ad requests are secure is to test on page. To do this, open the Chrome Developer Console. In the Network tab, search for the Xandr endpoint using either adnxs.com or the appropriate handler (
ptv, etc.). Make sure that the calls use
Step 3: Remediate Non-Secure Requests
If prebid calls are non-secure, this indicates that the site is non-secure. Use the following options to ensure prebid calls are secure:
For more information, see:
If your Xandr bid requests use one of the following endpoints on Chrome, you need to manually update all tags from
If the site is secure, the AST call will be secure. If the site is non-secure, the AST call will be non-secure.
All publishers should be making their sites https to force secure AST calls. However, Xandr will enforce https regardless of the incoming protocol, so non-secure sites are still compliant on Chrome.
|Mobile SDK Integrations||Publishers need to manually enable HTTPs by setting |
Instructions for External Sellers, Data Providers, and Bidders
- All OpenRTB sellers and partners should include
"secure" : 1in bid requests according to the spec. For more information, see Incoming Bid Request from SSPs.
- Server-side partners should make sure usersync pixel URLs are secure. This includes any usersync pixel URLs Xandr stores and drops for you, and all the subsequent calls made by the URL.
- Bidders should ensure
nurlvalue in bid responses is non-secure. Secure
nurlwill be ignored, and could result in overspend and discrepancies.
Changing the OpenRTB endpoint URL to https is not required, and has no effect.
Validating Page Security Ahead of the February 4 Release
To prepare for the impact of the new Chrome behavior on your site or cookies before February 4, you can go to chrome://flags in Chrome 76+ and enable SameSite by default cookies and Cookies without SameSite must be secure. These experimental settings apply the intended behavior on Chrome after the update.