0

In RFC 6265 Section 7.1, it says:

Particularly worrisome are so-called "third-party" cookies. In rendering an HTML document, a user agent often requests resources from other servers (such as advertising networks). These third-party servers can use cookies to track the user even if the user never visits the server directly.

For example, if a user(using the same computer and the same web browser software, IE/Chrome etc) visits a site (A.com) that contains content from a third party(P) and then later visits another site(B.com) that contains content from the same third party(P), the third party can track the user between the two sites.

enter image description here

I'm curious, what does it mean by track the user between the two sites ?

To be concrete...

  • Assume I'm that user,
  • A.com's html contains a <img> tag grabbing images from server P, and B.com does the same;
  • I visit A.com in the morning then visit B.com in the evening;

Via storing cookies on my computer, P knows I have web browsing behavior in the morning as well as in the evening(no doubt), but can P know I browse A.com(instead of B.com) in the morning?

Community
  • 1
Jimm Chen
  • 5,904
  • Not to worry you, but even innocuous sites like Stack Exchange do it - https://i.stack.imgur.com/9PbAp.png Lots of browsers automatically block them these days. – Tetsujin Dec 16 '20 at 10:25

1 Answers1

0

Well, I find it out, as hinted by https://en.wikipedia.org/wiki/HTTP_cookie#Third-party_cookie .

For a simple index.html like this:

<!doctype html>
<body>
  <p>An image below:</p>
  <img src="https://chjfth.github.io/web/res/bg-pagehead.jpg"/>
</body>

When viewing it in a Web browser, it sends out such HTTP request to fetch the image file:

GET https://chjfth.github.io/web/res/bg-pagehead.jpg HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://10.22.3.84:5000/seeimage/index.html
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: chjfth.github.io
If-Modified-Since: Fri, 13 Sep 2019 11:24:09 GMT
If-None-Match: "5d7b7c59-3534"
DNT: 1
Connection: Keep-Alive

Notice the Referer: http://10.22.3.84:5000/seeimage/index.html line, it tells the third-party(chjfth.github.io) which webpage is fetching the image file.

Jimm Chen
  • 5,904