tags:

views:

187

answers:

2
+3  Q: 

Does disabling third party cookies also disable cookies created by third party javasript?

When a page includes third party javascript (via script src=...) and that javascript that sets a cookie, that cookie "becomes" a first party cookie, even though it's originally set by a third party source.

My question is this. If someone has disabled third party cookies in their browser, does that also apply cookies set by third party javascript? Or does it only block cookies that are explicitly set in the headers for requests to the third party domain?

And either way, do all browsers handle this the exact same way or do some block javascript cookies but others allow it?

A: 

I believe most browsers do not differentiate between cookies for a domain set in the HTTP headers vs. ones set by javascript when it comes to enabling/disabling them via user preferences. There certainly COULD be exceptions -- there's no technical reasons preventing someone from extending a browser such that it has different rules for cookies based on exactly where the cookie originated -- but I'm not aware of any.

EDIT: I think I originally misunderstood your question -- I thought you were asking the difference between cookies set via HTTP headers and cookies set via javascript. Rather, you are asking whether a cookie set by javascript which is hosted at a different domain is considered a third-party cookie vs. a cookie that is set by javascript directly inlined in the page or hosted on the same domain? If that is the case, I believe the answer is no (that is, they are treated as first-party cookies). Regardless of the original domain where the js file is hosted, it is executed in the context of the web page which is including it, so it's considered first-party.

RarrRarrRarr  2010-04-02 01:44:39
My limited testing with Firefox shows that cookies created by third party javascript still work even with that feature turned off... but testing all the browsers is a bit of a pain so I thought I'd ask if anyone had wondered similar thoughts and tested it more thoroughly.
Sean  2010-04-02 02:52:08
No, your original understanding was correct - I'm trying to figure out if cookies via http headers are treated differently than ones set via javascript, even if they're coming "from" the same third party domain.
Sean  2010-04-02 05:54:19
+2  A: 

I just thought I'd update this after further testing, in case anyone comes across it later.

I tested Firefox 3.6, MSIE 7, Safari 4, Chrome 4, and Opera 10, and they all do in fact support creating cookies via third party javascript, even when third party cookies are disabled. I conclude this is because the cookies are created for the first party domain, so the browsers treat them as first party cookies, even though they are created by a script from a third party source.

It's only cookies created by headers from third party requests that get rejected when this feature is enabled.

Sean  2010-04-07 01:02:19

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript