• _s10e@feddit.de
    link
    fedilink
    English
    arrow-up
    14
    arrow-down
    2
    ·
    1 year ago

    So what exactly are 3rd party cookies?

    I’m on a.com, that is what’s shown in the address bar.

    The page includes a resource a.com/image.png. A request the server will include cookies from a.com. That’s a 1st party cookie. Correct?

    The page includes a resource b.com/image.png. The request will not include cookies from a.com; this was always the case. b.com can however set their own cookies. Since we are on a.com, cookies from b.com are ‘third party’. Correct?

    It gets interesting when we navigate to c.com and c.com includes b.com/image.png, a tracking pixel we have seen before on a.com.

    Without 3rd party cookie protection, b.com sees the cookie they set previously while on a.com. This will now be blocked. Correct?

    Now explain this in a Javascript world.

    • phoneymouse@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      1
      ·
      edit-2
      1 year ago

      Open up developer tools and look at the network requests just about any website you visit makes. Logged in to facebook.com and then went to visit a.com? Well, a.com has a Facebook like button and script delivered to your browser when you load their page that allows Facebook to figure out that your logged in Facebook user id visited a.com. Not only did you do that, but you hovered over a button to buy boots for 3 seconds and didn’t click. Now, Facebook calls home with the knowledge user 827027 is a potential boot buyer and can spam them with boot ads.

      Interestingly, a.com also loads about 30 other scripts from other ad networks and trackers, including Google, and similarly lets them call home with info stored in their respective third party cookies.

    • simonced@lemmy.one
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      I am not sure, but I think browsers will block access to third party cookies from javascript. In your example, c.com/script.js will not be able to access b.com cookies. Now, when the browser sends the request to b.com/image.png, browsers will NOT send the cookies associated with b.com when visiting other domains than b.com. BUT, the request might contains a “referer” info set by the browser, hence b.com can still track you. This is something that some browsers block already, but as a web developer, I always see referers in the logs, so it’s either not working, or it is opt-in in the options, and normies don’t change it…