Can code (third-party) iframe set first-party cookies?

Question

Is it possible for any code loading in an iframe set first party cookies?

E.g. I have a site: www.my-website.com and I need to load some content from third party provider www.third-party-site.com for legitimate purposes. But (for obvious security reasons) I do not want to allow them to be able to set (or read) any first party cookies (i.e. cookies with the domain www.my-website.com - they are welcome to set any cookies of their own domain www.third-party-site.com).

Is the above possible under certain conditions or not possible at all:

• iframe is not sandboxed?
• if the iframe code loads say an image that has header cookies
• any other conditions?
• some browsers allow vs. others do not?

My understanding is that this is not possible at all and most answers on SO etc. seem to support this - but some are pointing to examples where Facebook has a workaround to this in certain conditions etc. Hence thought to clarify.

Answer 1

By design, no. That's not to say that workarounds have not been found, or that bugs have permitted it in the past, but they are very much bugs and not things you should expect or try to use - leaking a first party cookie to a third party would qualify as a major security problem.

To reduce exposure, you should ensure that appropriate cookie flags are set: Secure, to prevent cookies from being sent over insecure links; httponly, to prevent javascript accessing them, and if available, samesite, to avoid CSRF attacks. You should also set HTTP headers to control framing of your own site, to avoid clickjacking, and other headers like CSP to keep tighter control over sources.

There is one very simple way of avoiding all the negative consequences of third-party cookies: don't have any. It's possible to do a great many things without them, it means you may not need to display cookie notifications or seek consent.

Since you're asking an abstract question about this, you might get a better answer on Security Stack Exchange.