Third-party cookies are set on your computer from domains other than the one that you’re actually on right now. For example, if I log into css-tricks.com, I’ll get a cookie from css-tricks.com that handles my authentication. But css-tricks.com might also load an image from some other site. A common tactic in online advertising is to render a “tracking pixel” image (well named, right?) that is used to track advertising impressions. That request to another site for the image (say, ad.doubleclick.com) also can set a cookie.
Eric Lawrence explains the issue:
The tracking pixel’s cookie is called a third party cookie because it was set by a domain unrelated to the page itself.
If you later visit B.textslashplain.com, which also contains a tracking pixel from ad.doubleclick.net, the tracking pixel’s cookie set on your visit to A.example.com is sent to ad.doubleclick.net, and now that tracker knows that you’ve visited both sites. As you browse more and more sites that contain a tracking pixel from the same provider, that provider can build up a very complete profile of the sites you like to visit, and use that information to target ads to you, sell the data to a data aggregation company, etc.
But times are a changin’. Eric goes on to explain the browser landscape:
- Brave: Blocks by default
- Safari: “Intelligent Tracking Prevention” is more complicated, but it does block third-party cookies by default (February 21, 2019).
- Firefox: Blocks known-trackers by default (September 3, 2019)
- Edge: You can enable tracking prevention and pick a level. The “balanced” level in the middle still allows stuff like third party auth (June 27, 2019).
- Chrome: Blocking by default is coming (February 4th, 2020). Slightly different in that the cookies will set themselves as first-party only by default. Edge and Firefox plan to match the change.
The default stuff is the big deal, because all browsers offer some way to block third-party cookies. But of course, nobody actually does it. Jeremy:
It’s hard to believe that we ever allowed third-party cookies and scripts in the first place. Between them, they’re responsible for the worst ills of the World Wide Web.
2019 is the year we apparently reached the breaking point.
Note that by default Firefox only blocks third-party cookies from domains that are known trackers. Blocking all third-party cookies probably breaks too many things, and I don’t think any browser does that currently or ever will.
SameSite=Lax by default is not a privacy enhancement, it’s a security enhancement
If I understand correctly, Chrome 80+ will set
SameSite=Laxby default. However, third-party trackers like ad.doubleclick.com can choose to setSameSite=Noneon their cookies and continue to do all the tracking that they used to be able to do. So this change does not help protect the user’s privacy from ad trackers, rather it is a security improvement to help protect sites and users from CSRF attacks.The tracking blocking that Brave, Safari, Firefox and Edge (?) do is different, as the third party trackers don’t have a say in the matter, they can’t opt out.
Eric Law explains the implications of the SameSite=Lax change for privacy here:
By what mechanism do third-party pixels know which sites you are visiting?
I find this concept a bit confusing:
How does the tracker know which sites that you visited? Just because you are using the same third-party cookie in both visits doesn’t in itself explain how the tracker knows which sites you visited. Is it reading the
Refererheader or something? How does setting a referrer policy affect this? What aboutcrossorigin="anonymous"?