0

  • Having third-party (3rd party) cookies disabled

  • remove all cookies

  • login to gmail.com

  • visit youtube.com without logging in

    and wonder how is it that youtube.com knows your gmail identity ??

Can anyone explain how this is achieved technically and what is the point then of disabling 3rd party cookies??

Community
  • 1
  • 1
mike8394
  • 1
  • 3
  • Youtube is owned by Google, so Youtube and Gmail are pretty close to each other related. – Steven Nov 01 '17 at 13:45
  • 1
    Browser’s 3rd-party cookies settings might apply to accepting received cookies only, but not restrict what gets send back (haven’t checked, test yourself please if interested) - and the gmail.com cookies is of course not a 3rd-party cookie at the moment it is set, because you _are_ on gmail.com. If that’s not it, then it is probably due to some cross-domain communication on the background. _“what is the point then of disabling 3rd party cookies?”_ - mostly that ads and tracking scripts that are embedded into a page are hindered from settings their own cookies in that situation. – CBroe Nov 01 '17 at 13:46
  • It would be very strange if blocking 3rd party cookies would not restrict what gets sent back - that would effectivelly mean no 3rd party cookies blocking...cross-domain communication on the background sounds promising though... – mike8394 Nov 01 '17 at 19:54
  • You were partly right. See my answer – mike8394 Nov 01 '17 at 20:48

2 Answers2

0

In this (somewhat special/simple) case I would expect the answer to be that you are not really confronted with 3rd party cookies. I assume by 3rd party cookie you mean a cookie that is coming from a different domain than the site you are visiting.

For example a "gmail.com" cookie when you are visiting "youtube.com".

I would be surprised if Google would not set a cookie for "google.com" when you log in to Gmail (login is via "accounts.google.com" for example).

Now if (and again, I am pretty sure that this happens) youtube is loading anything from google.com (analytics.google.com?), that will happily transfer the cookie (which in this case is not a 3rd party cookie as we have defined it before).

scherand
  • 2,298
  • 20
  • 27
  • I disagree. Disabling 3rd party cookies means, that: when you visit domain A you disallow anything from that domain to set any cookies for any other domain than A and if the domain A requests anything from other domain, these requests have no cookies set. So you see when youtube.com loads anything from analytics.google.com it will NOT send the cookie.... That is pretty much the definition of disabling thid-party cookies.... – mike8394 Nov 01 '17 at 19:43
  • and to address your first point, yes, I agree that most likely the mechanism is different from third-party cookies. But what is it? – mike8394 Nov 01 '17 at 19:50
0

So I have done some simple tests and,

Apparently blocking 3rd party cookies does not mean blocking 3rd party cookies!

After logging in to gmail.com, gmail instructs the browser to set cookies for .youtube.com domain and the browser happily does (with 3rd party cookies being disabled).

What this means is that any domain 'A' can happily set cookies for any domain 'B', which means that when you visit domain 'B', it will know that you visited domain 'A' and what you have done there...

When have we signed up for this kind of Web?

A follow-up question:

Which browsers correctly implement 3rd party cookies blocking?

mike8394
  • 1
  • 3