Skip to end of metadata
Go to start of metadata


Chrome February 2020 Policy Updates: Xandr Customer and Partner Guide


This guide explains the recent changes to Google's cookie policies and how they affect Xandr ad technology.  It also recommends actions publishers, buyers, bidders, and partners may need to implement in response.

Publishers who have not implemented these changes on Chrome browsers may experience drop-offs in revenue or delivery. Please read this guide carefully to continue effectively monetizing your inventory.

Overview of Changes

Chrome is making the following changes:

Google Chrome has announced a "secure-by-default" model for cookies, as part of efforts to improve privacy and security across the web. This change means Chrome will stop sending third-party cookies in cross-site requests unless the cookies are:

  • marked as Secure 
  • specifically flagged as being used for cross-site tracking by setting SameSite=None. This setting is important for Xandr cookies because they use a different domain from the publisher domain.

Xandr is making the following changes:

Xandr is flagging all our cookies as SameSite=None  and marking them as Secure  in January 2020. We are also implementing an automatic http ----> https redirect to minimize the level of cookieless traffic. 

Actions for Sellers, Buyers, Bidders, Partners, and Mobile SDK Users

If you need more help after reading this guide, please log a request on the Xandr Support Portal at

Sellers must ensure that ad requests and cookie syncs with Xandr are secure (https) in order for Xandr to receive cookie information. If sellers make non-secure ad requests or cookie syncs, Chrome will not send and Xandr will not receive the cookie, negatively impacting monetization. 

We recommend ensuring that:

  1. All sites are secure (https) 
  2. Ad requests are sent over secure https protocols

    Bidders and data providers will continue to receive ad requests in http. This is expected, and these partners do not need to take any action concerning ad requests.

  3. Cookie syncs are sent over secure https protocols
  4. Pixels such as conversion and segment pixels are sent over secure https protocols 

    Xandr will redirect http calls to https, but partners should check and update their pixel implementations as required to prevent latency and and impact monetization.

Further Reading

Detailed Instructions for Compliance

Step 1: Make Sure Your Site Is Secure 

Load your site in Chrome, and check next to the URL for an indication of security status as shown below. 

  • Lock Secure
  • View site information Info or Not secure
  • Dangerous Not secure or Dangerous

This step verifies that site URLs are secure: it does not affect ad requests on the page. Note that OpenRTB doesn't require site URLs to be secure, provided that "secure" : 1 is sent in bid requests.

Step 2: Make Sure Your Ad Requests Are Secure

The most reliable way to confirm if the ad requests are secure is to test on page. To do this, open the Chrome Developer Console. In the Network tab, search for the Xandr endpoint using either or the appropriate handler (prebid, ttj, ptv, etc.). Make sure that the calls use https, not http

Step 3: Remediate Non-Secure Requests

Integration  Remediation Steps

Prebid.js Integrations

If prebid calls are non-secure, this indicates that the site is non-secure. Use the following options to ensure prebid calls are secure:  

  1. Update the site to secure. This will trigger prebid calls to be made secure automatically.
    1. Note: If "http://" is hardcoded when loading Prebid.js, publisher will need to change hard code to use "https://" or remove hard code entirely. See prebid doc here.
  2. Ensure all integrated bidders are compliant with secure requests to their endpoints (HTTPS). Bidders are already required to use secure pages, so this should not be a big issue.
  3. Upgrade the prebid version to Prebid 3.0. This should ensure calls are made securely even if the site itself is not SSL compliant. 

For more information, see:

 Tag Integrations

If your Xandr bid requests use one of the following endpoints on Chrome, you need to manually update all tags from http to https   →

Request TypeAffected Endpoint
  • /ttj
  • /mob
  • /ssmob
  • /ptv
  • /ssptv
  • /vmap
  • /ssvmap
AST Integrations

If the site is secure, the AST call will be secure. If the site is non-secure, the AST call will be non-secure.

All publishers should be making their sites https to force secure AST calls. However, Xandr will enforce https regardless of the incoming protocol, so non-secure sites are still compliant on Chrome.


Include "secure" : 1 in bid requests according to the spec. For more information, see Incoming Bid Request from SSPs

Mobile SDK IntegrationsPublishers need to manually enable HTTPs by setting  SDKSettings.useHttps(true);.

Instructions for External Sellers, Data Providers, and Bidders

  • All OpenRTB sellers and partners should include "secure" : 1 in bid requests according to the spec. For more information, see Incoming Bid Request from SSPs
  • Server-side partners should make sure usersync pixel URLs are secure. This includes any usersync pixel URLs Xandr stores and drops for you, and all the subsequent calls made by the URL.
  • Bidders should ensure nurl value in bid responses is non-secure. Secure nurl will be ignored, and could result in overspend and discrepancies. 

Changing the OpenRTB endpoint URL to https is not required, and has no effect.

Validating Page Security Ahead of the February 4 Release

To prepare for the impact of the new Chrome behavior on your site or cookies before February 4, you can go to chrome://flags in Chrome 76+ and enable SameSite by default cookies and Cookies without SameSite must be secure. These experimental settings apply the intended behavior on Chrome after the update.






  • No labels