Will making HTTP cookies unique to a given website make cookies aligned with the strictest privacy guidelines?



  • As far as I know, the only privacy problem with cookies is that in general, the owners of website Y could read what a visitor has searched for or had done in website X.

    Will making HTTP cookies unique to a given website (so other websites won't be able to access it) make cookies aligned with the strictest privacy guidelines (or will there still be a privacy and maybe also information security problem)?



  • owners of website Y could read what a visitor has searched for or had done in website X.

    No, it's not. A cookie set by www.example.com cannot be read by www.another-example.com. That's a fundamental property of cookies: they are tied to a domain. Some are even tied to a subdomain, making a cookie from one.example.com being unable to be read from two.example.com.

    What happens is that lots of sites will use some ad network to display ads. And those ad networks (for example, adnet.net) will receive a request with a special header: Referer, and that header says you are coming from example.com. And adnet.net can set a cookie giving you an unique ID.

    So if you access example.com, and they use adnet.net as their ad-provider, your unique ID for adnet.net is sent to adnet.net and the Referer header says it's coming from example.com. They will record on their database that you accessed example.com, another-example.com and any other site you accessed and happened to have ads from adnet.net.

    No cookie from adnet.net can be read either by example.com nor another-example.com, but adnet.net knows for sure you accessed both of them. And not only ads. A lot of sites are built using JQuery, and to not have to host jquery.js they just use a CDN and link that file directly. And the CDN too receives a request with Referer header, and the CDN can set a special cookie with an unique ID on it.

    Will making HTTP cookies unique to a given website (so other websites won't be able to access it) make cookies aligned with the strictest privacy guidelines (or will there still be a privacy and maybe also information security problem)?

    It won't make any difference, because your cookies cannot be read by anyone else. What you can do is to now have any external resources (so host all your images, all scripts, all ads). This way nobody can know your users by cross-referencing ad network and CND cookies.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2