this post was submitted on 15 Dec 2023
223 points (98.7% liked)
Technology
59598 readers
3423 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
So what exactly are 3rd party cookies?
I'm on a.com, that is what's shown in the address bar.
The page includes a resource a.com/image.png. A request the server will include cookies from a.com. That's a 1st party cookie. Correct?
The page includes a resource b.com/image.png. The request will not include cookies from a.com; this was always the case. b.com can however set their own cookies. Since we are on a.com, cookies from b.com are 'third party'. Correct?
It gets interesting when we navigate to c.com and c.com includes b.com/image.png, a tracking pixel we have seen before on a.com.
Without 3rd party cookie protection, b.com sees the cookie they set previously while on a.com. This will now be blocked. Correct?
Now explain this in a Javascript world.
Open up developer tools and look at the network requests just about any website you visit makes. Logged in to facebook.com and then went to visit a.com? Well, a.com has a Facebook like button and script delivered to your browser when you load their page that allows Facebook to figure out that your logged in Facebook user id visited a.com. Not only did you do that, but you hovered over a button to buy boots for 3 seconds and didn’t click. Now, Facebook calls home with the knowledge user 827027 is a potential boot buyer and can spam them with boot ads.
Interestingly, a.com also loads about 30 other scripts from other ad networks and trackers, including Google, and similarly lets them call home with info stored in their respective third party cookies.
I am not sure, but I think browsers will block access to third party cookies from javascript. In your example, c.com/script.js will not be able to access b.com cookies. Now, when the browser sends the request to b.com/image.png, browsers will NOT send the cookies associated with b.com when visiting other domains than b.com. BUT, the request might contains a "referer" info set by the browser, hence b.com can still track you. This is something that some browsers block already, but as a web developer, I always see referers in the logs, so it's either not working, or it is opt-in in the options, and normies don't change it...