0

If I use an image, stylesheet, webfont, or other non-script resource from an external site (e.g., hotlinking, embedding, or linking), can that site set a third-party cookie on a user's device when they visit my web site? Are there any HTML elements (besides script, applet, iframe, object, or embed) that can be used to set a third-party cookie by using an external URL in a src or href attribute?

I am aware that you can do some trickery on your web server to, for example, handle a .jpg file as if it's a different file type (.php, .aspx, etc.) which could set a cookie as well as return stylesheet content. I'm specifically asking if a "real" image or other resource could be used to set cookies.

I'm not trying to do this, I'm trying to prevent it. This question occurred to me while trying to make sure a web site was fully GDPR and ePrivacy compliant. I know GDPR questions are not allowed, and I'm not asking for legal advice. This is more about curiosity on the security and privacy issues that can result from seemingly "safe" sharing of third-party content.

Rick
  • 1,863
  • 2
  • 19
  • 46

2 Answers2

1

Yes

Cookies can be set by response headers, therefore any website resource outside Your control can set his cookie. Of course cookie will be visible/accessible only for its domain (not Yours).

This is GDPR privacy concern for You, because 3rd party companies can trace user this way, moreover they see client IP and browser sign which can be interpret as privacy problem too.

Khazul
  • 179
  • 6
1

It is impossible to prevent other sites or servers from installing cookies when THEIR assets are being used. There isn't a way to prevent it from happening on the server side. The GDPR should have pointed to browsers making that possible, but has squarely placed the liability on the site holder. That being said, you have a web-site, but the asset itself, is not yours. You are no more responsible for that content, than a person embedding a youtube clip. Now, you can test to see if it does install a cookie, just open the picture in a incognito window, and check if it installs cookies. Now, if there was any cookie with a seemingly random id number, then it may be tracking, if it has generic text like tracking=denied, then it probably isn't. Keep in mind, that most sites will, also, have to behave in accordance to those laws, or just block EU countries, which is much easier.

Steve Smith
  • 21
  • 2
  • 1
    Thanks for the additional information. Unfortunately you ARE responsible for actions of third parties via your site under the GDPR (including anything Google/YouTube does when you embed a YouTube video). That's why it's so hard to be compliant. – Rick Jun 30 '18 at 12:56
  • Again, to be compliant may seem really hard, and it is, but we were talking about a photograph, and not an embedded script. Thing is, you simply stated a response the first party site is responsible. It is only partly true. For this, here is some legal literature at https://www.iubenda.com/en/help/6282-legal-sources-third-party-cookie-names-opt-out-requirements for you to read. Provided you make best attempt to comply, you are only responsible for your cookies, the rest is up to each individual third party. Simply name the tools, and their privacy policies, and indicate them as required tools. – Steve Smith Jul 01 '18 at 23:14