0

We have a pixel file just like google analytics, facebook pixel, hotjar pixel where we give to our customers and they it to their website. We then set some cookies on their website with our domain.

I read this article on SameSite cookies and I understand if I am the first party's developer I should use SameSite : Strict or Lax to not let third party like us read their secret cookies. But I can not find any resource for the third party developers who get and set read cookies on first party's website.

What should the third party developers use in SameSite cookie if they want to get and set only first party's cookies?

Akash Joshi
  • 598
  • 1
  • 5
  • 15

1 Answers1

1

If I fully understand your question, there's a confusion : SameSite is not about sharing the cookie with someone else.

In any case, a cookie issued by SiteA will only be sent to SiteA.

What Google is going to add as a protection, is to distinguish between :

  • SiteA (= same site) request a ressource on SiteA (Cookie will be sent, whatever it's SameSite attribute value)
  • SiteB (= another site) request a ressource on SiteA (Cookie will be sent only if SameSite is Lax, or - in future versions of Chrome - Samesite=None;Secure)

So, if you provide a script to be included from another site, cookie must have a Samesite=Lax attribute.

It's the case for an analytics script, as it is (for example) for a CDN providing jQuery.

Pierre-Olivier Vares
  • 1,687
  • 15
  • 20