7

What is the difference between 1st party cookies and 3rd party cookies and what are the pros and cons of disabling it?

Will facebook and google (and other ad companies) be completely unable to track you when they're not in their site? What about if you are on a site that requires a facebook or gmail login? Will these sites require 3rd party cookies to be turned on?

Knee
  • 71
  • 1
  • 2

1 Answers1

13

Disabling 3rd party cookies is largely a privacy measure.

Cookies are restricted with a Same Origin Policy (SOP), which essentially mandates that a site on domain A can't set a cookie for domain B, and your browser shouldn't send cookies for domain A when visiting domain B. This is largely for security reasons: you don't want sites being able to read session cookies from other domains!

Advertisers and analytics companies have, of course, found ways around this. Instead of setting a cookie for their domain, they include a small resource (usually called a "pixel" tracker) on the page, from a 3rd party domain. The HTTP response from the 3rd party domain is free to set cookies for its own domain, so it generates a unique ID for your visit and sends it as a cookie. You then visit another site, which also uses that same tracker pixel. The same 3rd party domain can read back that cookie because it's part of the same origin, and therefore track that you came from one site to another.

Blocking third party cookies stops this behaviour. It prevents the 3rd party resource from setting a cookie because it was fetched in the context of a different domain, i.e. the page you're viewing. The implementation essentially modifies the cookie SOP to limit the cookie origin to the domain of the page you're viewing.

Keep in mind that this isn't infallible, though. One work-around that is commonly used is to generate a unique resource (e.g. a dynamically generated CSS file with a unique ID inside it) and serve it with cache-control headers set to ensure caching. Modern browsers hash the contents of the cached resource and send that hash as part of a HEAD request to sites to see if they've changed and need to be re-downloaded. The tracking server then takes that hash and looks it up against its database of unique IDs, and works out which one you were. Evil, no?

Polynomial
  • 135,049
  • 43
  • 306
  • 382
  • 2
    Just a small alteration - is HEAD used any more? I thought it was just a GET and then the server returned 304 Not Modified if already cached. – SilverlightFox Sep 25 '14 at 14:12
  • The last paragraph is very interesting, is there any defence a browser can employ against this. Do all advertisers use this method? – Luke De Feo Dec 17 '16 at 02:13
  • @LukeDeFeo Tools like Ghostery and NoScript help block these features. It is not a universal practice by all advertisers, but it is extremely common to see tracking pixels embedded in websites. It is hard to know which of these analytics providers perform cross-estate tracking. StackExchange itself uses Quantcast, AdZerk, and ScoreCard Beacon, all of which use tracking pixels, though I believe Quantcast is the only one of those which is explicitly known to track users across the internet and not just the originating site. – Polynomial Dec 19 '16 at 15:01