Does a session cookie on different subdomain count as 3rd-party?

iframe cookies subdomain privacy
14,343

Solution 1

if you set a Cookie on domain .example.com

then a cookie from www.example.com and www.myapp.example.com will be considered the same.

no cookie is treated as a 3rd party cookie.

Solution 2

Cookies seem to be considered 3rd party if they come from different base domains (base domains being example.com or example.co.uk), but not if they come from different subdomains of the same base domain.

myapp.example.com will be able to set cookies with domain myapp.example.com if it is embedded within www.example.com.

Having myapp.example.com set cookies with domain .example.com is unnecessary unless those cookies need to be read from a different subdomain.

[Tested in Firefox, Chrome (with 3rd party cookies blocked) and Safari] [ThirdPartyUtil.IsThirdPartyInternal seems to be where this is checked in Firefox]

Solution 3

Assuming that the domain attribute is not set on the cookie in question, in this scenario it is indeed a third-party cookie due to the hostnames being different. However browsers who would ordinarily block third-party cookies will not block it due to the base domains being the same. So in that respect it is not treated as a third-party cookie.

I know this because I was able to successfully set and read a third party cookie when the base domain was the same and the subdomain was different while third party cookies were blocked in the latest versions of Firefox, Chrome, and Microsoft Edge's browser settings. This was true even when no domain attribute was set on the cookie. This means that Firefox, Chrome, and Microsoft Edge do not consider cookies from the same base domain to be third party cookies.

My methodology was as follows. I have two different hostnames with the same base domain but different subdomains. One of them contains two PHP files. The first sets a cookie with a random cookie name and no domain attribute and returns the name of the cookie as JSONP. The second attempts to read the cookie and then returns either true or false as JSONP. The other hostname contains an HTML file that uses AJAX to query the first PHP file that sets the cookie, and then when done, immediately uses AJAX again to query the second PHP file that tests for the existence of the cookie. I first made sure that third party cookies were being blocked by the browser before moving forward. I tested three browsers: Firefox, Chrome and Microsoft Edge. In all cases the results showed that the cookie was successfully set and read even though the cookie was from a different domain as long as the base domains were the same.

Conclusion: if a resource sets a cookie and the base domain on the resource is the same as the base domain on the web site, but the subdomain is different, popular browsers do not treat it as a third-party cookie.

Share:
14,343
RossJ
Author by

RossJ

Updated on June 11, 2022

Comments

  • RossJ
    RossJ almost 2 years

    Suppose I have a site at www.example.com which has an IFRAME pointing to ASP.NET site myapp.othersite.com - this causes issues with session and 3rd-party cookies which I understand.

    If I moved the embedded app to myapp.example.com, would the session cookie still count as a 3rd-party cookie as it is a different subdomain?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cookie not being set in iframe
Setting a cookie on a subdomain from an ajax request
Safari 13+ iframe blocks CORS cookies
Read IFrame cookie
How to get the domain of a specific cookie?
Setting cookies for multiple sub-domains
Iframe Facebook application and cookies [Internet Explorer]
Stay logged into GMail without getting tracked by Google
View Cookies in Mozilla Firefox
Can subdomain.example.com set a cookie that can be read by example.com?