Third-party cookie

Third-party cookies are HTTP cookies which are used principally for web tracking as part of the web advertising ecosystem.

While HTTP cookies are normally sent only to the server setting them or a server in the same Internet domain, a web page may contain images or other components stored on servers in other domains. Third-party cookies are the cookies that are set during retrieval of these components.

A third-party cookie thus can belong to a domain different from the one shown in the address bar, yet can still potentially be correlated to the content of the main web page, allowing the tracking of user visits across multiple websites.

This sort of cookie typically appears when web pages feature content from external websites, such as banner advertisements. Although not originally intended for this purpose, the existence of third party cookies opened up the potential for web tracking of a user's browsing history and is used by advertisers to serve relevant advertisements to each user. Third-party cookies are widely viewed as a threat to the privacy and anonymity of web users.

, all major web browser vendors had plans to phase out third-party cookies. This decision was reversed for Google Chrome in July 2024.

Mechanism

As an example, suppose a user visits www.example.org. This website contains an advertisement from ad.foxytracking.com, which, when downloaded, sets a cookie belonging to the advertisement's domain (ad.foxytracking.com). Then, the user visits another website, www.foo.com, which also contains an advertisement from ad.foxytracking.com and sets a cookie belonging to that domain (ad.foxytracking.com). Eventually, both of these cookies will be sent to the advertiser when loading their advertisements or visiting their website. The advertiser can then use these cookies to build up a browsing history of the user across all the websites that have ads from this advertiser, through the use of the HTTP referer header field.

, some websites were setting cookies readable for over 100 third-party domains. On average, a single website was setting 10 cookies, with a maximum number of cookies (first- and third-party) reaching over 800.

The older standards for cookies, RFC 2109 and RFC 2965, recommend that browsers should protect user privacy and not allow sharing of cookies between servers by default. However, a newer standard, RFC 6265, released in April 2011 explicitly allowed user agents to implement whichever third-party cookie policy they wish, and until the late 1990s allowing third party cookies was the default policy implemented by most major browser vendors.

Privacy law and cookie consent dialogs

While useful for advertisers, web tracking is widely seen as a threat to personal privacy. This prompted the creation of laws against tracking without user consent, the most notable of which is the European GDPR.

This led to the creation of "cookie consent" dialogs, which rapidly became a standard feature across advertising-funded (and many other) websites, and notable for their use of dark patterns to attempt to force users to allow tracking by making it hard for them to refuse to grant consent.

Some websites also responded by simply geoblocking users from countries with privacy-friendly laws.

Blocking third-party cookies

Most modern web browsers contain privacy settings that can block third-party cookies, and some now block all third-party cookies by default - as of July 2020, such browsers include Apple Safari, Firefox, and Brave. Safari allows embedded sites to use the Storage Access API to request permission to request first-party cookies when the user interacts with them. In May 2020, Google Chrome 83 introduced new features to block third-party cookies by default in its Incognito mode for private browsing, making blocking optional during normal browsing. The same update also added an option to block first-party cookies. Google planned to start blocking third-party cookies by default in late 2024, and in January 2024 started this process with a pilot scheme in which blocking has been implemented for 1% of all Chrome users.

Replacements

Since third-party-cookie-based web tracking was an essential part of the existing web advertising ecosystem, multiple proposals are being implemented to try to replace it.

Google proposes the use of browser-based interest targeting, in which users' interests can be recorded locally by the browser, and then signalled to advertising servers without directly revealing the user's identity. Google's Privacy Sandbox is one such implementation.

Other approaches include the use of browser fingerprinting to track users across sites, which is generally viewed as being as bad a threat to privacy as third-party cookies. There are also concerns that interest-based tracking may itself be abused to fingerprint users.

Circumvention of blocking of third party cookies

A number of methods exists for circumventing the blocking of third-party cookies. One is for the operators of websites to point a DNS name within the site's own domain at an advertiser's server, thus in effect making cookies set on that server first-party cookies from the viewpoint of the browser while still providing a third party with control over the cookie information.

Another approach is for the website operator to proxy traffic from the client to the tracking service's servers. As this would easily allow the website operator to serve false information to the tracking service, this is unlikely to be widely adopted.

References

{{Web browsers

Hypertext Transfer Protocol headers
Internet privacy
Tracking