Cookie-Receipt Contexts
(Understanding and testing additional cookie privacy enforcement.)



What is Cookie Context?

Web browsers supporting an advanced form of cookie management, notice and record the "context" in which cookies are received. They note whether cookies are received from first-party or third-party servers — In other words, from the server of a page the user is deliberately visiting, or from the server of some other site referred to by that page. These extra-aware browsers can be configured to enforce additional privacy by not returning a cookie during a third-party query that was originally received during a first-party reply.

For example, if you were within the Yahoo domain (yahoo.com) and using any of Yahoo's many services with first-party cookies enabled, your browser would be receiving and returning Yahoo's cookie(s) in “first-party context” because you are deliberately visiting and using Yahoo. This is normal, useful, and even necessary if you would like to take advantage of Yahoo's many features where you “logon” through your browser and need to be known to Yahoo as you move from page to page and from visit to visit.

But if you were then to visit the eBay online auction site, where a Yahoo-provided advertisement is present, a normal first-party cookie exchange would occur with eBay in a first-party context, because that's the site (and domain) you are visiting. But any cookie exchange with Yahoo's servers would occur in a “third-party context” because you are at eBay now, not at Yahoo.

The problem is, your web browser is carrying a Yahoo domain cookie, and Yahoo knows all about you due to your deliberate and intentional relationship with them. But do you want Yahoo to also know every time you visit eBay (and all other sites where Yahoo provides advertisements or other page assets) and also what you searched for on eBay?

Even when web browsers are configured not to accept (new) third-party cookies, they will still send any cookies that they may have already acquired.

As a result, returning to our example above, a browser that was not aware of the context in which it originally received Yahoo's first-party cookie might subsequently leak that cookie — which was received in a trusted first-party context — when its user subsequently visited eBay (or any other site) where Yahoo provided a page asset in a third-party context  . . . which is not what most privacy-conscious user would want.


Testing Cookie-Receipt Context(Advanced Cookie Forensics)
Testing your browser's cookie-receipt context management only makes sense if your web browser is currently configured to accept updates to, and return, first-party cookies while successfully blocking, or at least not accepting, updates to third-party cookies.

Internet Privacy & Tracking Pages:
Set GRC Site Options  (to enable/disable automatic notifications)

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Apr 02, 2008 at 08:24 (3,425.03 days ago)Viewed 24 times per day