7

I have a website that loads a resource from another website. I've been able to determine that:

  • The third-party website places cookies on the user's browser.
  • If I disable third-party cookies in my browser settings, the third-party website is no longer able to place cookies on the browser.
  • The resource still works properly.

I'm wondering if there is some kind of header or other directive I can deliver from my website that will have the same effect for my users as if they had disabled third-party cookies, but which doesn't require them to go and monkey around with their settings.

Brian Rak
  • 4,912
  • 6
  • 34
  • 44
  • Did you find the answer to this. If so could you add your insights ? – Sumuga Dec 26 '19 at 05:47
  • @StormBr34ker No, I didn't. Instead, I included instructions in my site's privacy policy for disabling third-party cookies. Definitely a lame workaround, but better than nothing. – Brian Rak Dec 26 '19 at 18:58
  • Oh okay @Brian Rak. Thanks . I used a Google Tag Manager for blocking most of the cookies . Although - I could not find a definitive (single shot) way to block the ones that are set by the framework or plugins or etc. – Sumuga Dec 30 '19 at 13:36
  • Does this help: [How to block third-party cookies](https://cookie-script.com/how-to-block-third-party-cookies.html)? It really depends on how you are accessing this third-party site/source. Could you give more details please? e.g. what language/framework you are using, maybe a code snippet of how you are accessing this site/source –  Dec 31 '19 at 02:40
  • Thanks for the link! From what I was able to tell, it looks like that is a script that essentially prevents the loading of other scripts on your page that you've decorated with a `data-cookiescript` attribute unless the user has opted to accept cookies. What I was looking for was a little different. I still want to load and run the script from the third-party website. I simply want to prevent that script from creating cookies on the client. Basically exactly the same behavior as if the user had disabled third-party cookies in their preferences. – Brian Rak Dec 31 '19 at 02:54
  • Would there be a possibility of simply duplicating that script and then modifying it to remove the creation of cookies? –  Dec 31 '19 at 03:00

1 Answers1

4

Generally, it has been impossible to prevent your browser from including cookies in your HTTP requests. However, recently, few new ways to fetch resources were added to browsers.

  • Using the Fetch API: fetch ignores Set-Cookie in responses, and does not include Cookie unless specified.

  • Using ES6 (ES2015) modules: <script type="module" ...> without its crossorigin attribute will not send Cookie. It doesn't work for non-module scripts, and the server (not yours, the one serving the file) must be configured to serve the file with valid CORS headers. Scripts imported with import * from blah.com/script.js will also behave in the same way. Follow the link for more info.

  • Setting crossorigin="anonymous": Resource elements such as script, img and style with crossorigin="anonymous" will not include Cookie headers in subsequent requests.

But these all work by using Cross-Origin Resource Sharing (CORS), and if the resource server is configured to disallow requests without credentials (cookies, and other headers), they won't work. You will likely get 404 or other errors instead.

If you are worried about third-party cookies, it's usually better to serve statics from your own server, or cookie-free servers like most CDNs.

Browsers such as Firefox and Safari disable third party cookies by default, and Chrome is the last modern browser that still allows third party cookies by default as of Jan 2020. But even Chrome is phasing out of third party cookies.

Hurried-Helpful
  • 1,850
  • 5
  • 15