Third Party Cookie Privacy Issues

{,}
October 16th, 2008

Intro

Cookie settings can be confusing sometimes. Most browsers offer a setting `Don’t accept third party cookies` (Firefox) or `Accept only cookies from the site I visit` (Opera 9.5), `Accept only cookies from the sites I visit` (Safari). Although stated a bit differently this setting seems to have the same functionality.

Not so!

I’m not going into Microsoft Explorer, because I think internet-users that do care about internet, security and privacy should leave Explorer aside. Microsoft’s privacy and security record is historically below par, as well as their support for open standards. And they don’t like internet: they don’t wanna connect people, they want people to use Microsoft products. Later more!

First of all the settings aren’t stated very well in all dialogs. Don’t accept means don’t send as well, both in Firefox and Opera and that’s a good thing, because sending (untrusted) cookies is the `bad` thing.

Default settings, same results

What’s the difference in these settings. Try it yourself. Open a Google page in another tab, login with your account or login to gmail, and refresh this page.


If you have accept all cookies selected, you will see a personalized Google page in the iframe, recognisable with your gmail-address somewhere on top. That’s the same in Firefox and Opera and Safari.

Advanced cookies settings, different results

Now try the other setting: Don’t accept third party cookies.

Reload the page, and the iframe will not show a personalized Google page. The same behaviour in Opera and Firefox, but Safari does show a personalized page.

That’s remarkable, I don’t expect browsers to send cookies to third party iframes, when you have explicitly forbidden them.

But now comes an interesting point. Click the search button in the iframe. Google will carry out the same search as before and Firefox will not show a personalized page, meaning it’s not sending a cookie, but Opera will! Opera is sending a cookie, although the cookie setting is Only accept cookies from the domain I visit.

Strange again? Yes and no.

Yes, because you would expect it won’t send a cookie to the different domain.
No, because clicking on the iframe means in a way visiting the iframe, so the iframe is not a different domain anymore.

It’s debatable which policy is best. I think Safari sucks here. The privacy mode doesn’t work here and the cookie setting doesn’t do what it should do.
I would choose Firefox’s way as best. If I want to visit an iframed Google page as a user I can do that in a new tab or window.

Conclusion

Bottom-line: Third part cookie settings are differently implemented by browser vendors, that’s confusing. Cookies are to easely send to third parties, even with advanced security settings.

Does the strict settings have a side-effect for redirects. I’m not sure. What do you think?

Tags: ,

Leave a Reply