You may all know that Apple introduced 3rd party cookie deletion after 24 hours into Safari 11 on Mobile and Desktop called Intelligent Tracking Prevention ITP.
This forced Google to change their AdWords pixel to use a 1st party instead of a 3rd party cookie.
I'm not sure what to do in the following scenario:
Landing page is domain1.com with a link to domain2.com/register where users can fill out a form and convert and it will load domain2.com/thankyou
In the past I would just set up GTM like this:
Tag: AdWords Remarketing
Trigger: All Pages
Tag: AdWords Conversion
Trigger: Page View, where url=domain2.com/thankyou
Tag: Universal Analytics
Set field: autoLinker=true
Add cross-domains: domain2.com
Trigger: All Pages
This worked perfectly because Analytics uses a 1st party cookie, so we make sure the cross-domain tracking for Analytics works. For AdWords we didn't need to worry, as it used a 3rd party cookie that will perfectly work across domains.
Question
Since AdWords switched to a 1st party cookie, they nag us in GTM to add a Conversion Linker without much settings to set. I don't see how this works with a 1st party cookie, without a cross-domain linker for AdWords.
Any ideas if for AdWords everything just works without any sort of cross-domain linker?
So one and a half years later this gets finally fixed by google. GTM allows for link and form decoration, to transfer it's 1st party cookie to the second domain:
https://support.google.com/tagmanager/answer/7549390?linkId=58009916
"Enable linking across domains"
Related
I know how normal cookies work and that a browser attaches them to every request to the cookie's domain. I also watched a couple of videos about 3rd party tracking cookies that get send to the tracking site when they are requested by a browser loading the main site and thus the tracking site gets to know where their cookie comes from and this way can track you.
However, what I don't get is how the 3rd party tracking site gets the information about the source? Is the browser sending some kind of a referral and so revealing to them what website I opened or how does this magic work?
I am very confused as to how Safari ITP 2.3 works in certain respects, and why sites can’t easily circumvent it. I don’t understand under what circumstances limits are applied, what the exact limits are, to what they are applied, and for how long.
To clarify my question I broke it down into several cases. I will be referring to Apple’s official blog post about ITP 2.3 [1] which you can quote from, but feel free to link to any other authoritative or factually correct sources in your answer.
For third-party sites loaded in iframes:
Why can’t they just use localStorage to store the values of cookies, and send this data back and forth not as actual browser cookie headers 🍪, but as data in the body of the request or a header like Set-AuxCookie? Similarly, they can parse the response to updaye localStorage. What limits does ITP actually place on localStorage in third party iframes?
If the localStorage is frequently purged (see question 1), why can’t they simply use postMessage to tell a script on the enclosing website to store some information (perhaps encrypted) and then spit it back whenever it loads an iframe?
For sites that use link decoration
I still don’t understand what the limits on localStorage are in third party sites in iframes, which did NOT get classified as link decorator sites. But let’s say they are link decorator sites. According to [1] Apple only start limiting stuff further if there is a querystring or fragment. But can’t a website rather trivially store this information in the URL path before the querystring, ie /in/here without ?in=here … certainly large companies like Google can trivially choose to do that?
In the case a site has been labeled as a tracking site, does that mean all its non-cookie data is limited to 7 days? What about cookies set by the server, aren’t they exempted? So then simply make a request to your server to set the cookie instead of using Javascript. After all, the operator of the site is very likely to also have access to its HTTP server and app code.
For all sites
Why can’t a service like Google Analytics or Facebook’s widgets simply convince a site to additional add a CNAME to their DNS and get Google’s and Facebook’s servers under a subdomain like gmail.mysite.com or analytics.mysite.com ? And then boom, they can read and set cookies again, in some cases even on the top-level domain for website owners who don’t know better. Doesn’t this completely defeat the goals of Apple’s ITP, since Google and Facebook have now become a “second party” in some sense?
Here on StackOverflow, when we log out on iOS Safari the StackOverflow network is able to log out of multiple sites at once … how is that even accomplished if no one can track users across websites? I have heard it said that “second party cookies” still can be stored but what exactly makes a second party cookie different from a third party?
My question is broken down into 6 cases but the overall theme is, in each case: how does Apple’s latest ITP work in that case, and how does it actually block all cases of potentially malicious tracking (to the point where a well-funded company can’t just do the workarounds above) while at the same time allowing legitimate use cases?
[1] https://webkit.org/blog/9521/intelligent-tracking-prevention-2-3/
I am not sure if the below answers are correct, please comment if they are not:
It seems applications can use localStorage with no problem, up to 7 days. But it won’t be persisted across multiple enclosing domains. I would even recommend using sessionStorage, since the goal is just to have nothing more than a seamless session. You can then roll your own cookie mechanism using a different set of headers, the only thing you can’t implement is http-only cookies.
They can, but ITP won’t let the JavaScript on the enclosing page store cookies (at least, not if your third party domain was flagged as a tracker by Safari).
Yeah, the description of “link decoration” technically doesn’t mention this workaround, but probably Apple has or will update its classifier to handle this workaround.
Yes, if a first-party webpage will send a request to the server and it sets a cookie in the response headers, then these aren’t blocked by ITP, even if it has an iframe to a tracking site. They say that’s not their goal.
Yes, in fact your first-party site can just let your site redirect to google.com and back quickly (like with oAuth) and thereby inform Google of whatever you wanted, without cookies. Google’s JavaScript can do this as well, if you allow it. Then the JavaScript can just load your google-hosted subdomain in an iframe and set a cookie that persists for years, tracking the user. However, ITP 2.3 seems to have also added mitigation to this, so you might use A records instead? https://cookiesaver.io/archives/analytics-guides/cname-cloaking-mitigation-eliminates-safari-itp-workarounds/
Probably the StackExchange network uses a version of #5
I have been looking around the last few days for cookies and gdpr law, and I have been busy getting OneTrust and GoogleTagManager up and running on our current website and it works just fine!
On our Cookie consent banner, we have a "Reject all Cookies" button and then we do not load our tracking and other 3rd party scripts.
We have also added a list of all cookies etc. we use on the site that we receive automatically from onetrust. Necessary cookies for the site to work are loaded even if the user clicks Reject all cookies.
So some problems I have today:
Rectaptcha:
https://measuredcollective.com/gdpr-recaptcha-how-to-stay-compliant-with-gdpr/
https://www.imy.se/en/verksamhet/data-protection/this-applies-accordning-to-gdpr/transfer-of-data-to-a-third-country/
According to these links, we send sensitive information such as IP address to another country. as well as puts cookies on google's own domain google.com
If we decide that the user must ask for consent before using Google ReCaptcha cookies and then a spam/bot allows the possibility to deny these cookies. Then you have to ask if there is any point in using Google ReCaptcha in the first place?
I interpret this as meaning that we cannot use Google Recaptcha and have to change to another Recaptcha solution like hcaptcha.com?
A / B test.
https://help.optimizely.com/Account_Settings/Enable_opt-in_options_for_Optimizely_cookies_and_local_storage
In recent months, we have prepared some things to be A/B tested on the website. We already do not have that many users on the site and have to run our a/b tests for a slightly longer period for better results. Of course, an a/b test uses cookies and these cookies are counted as analytics cookies.
But now that we have "Reject all cookies" or "deny analytics cookies", we lose quite a lot of visitors and it becomes almost impossible to a / b test.
Is a/b test dead for smaller websites in EU?
Local storage
We save personal data when the user orders a service from us, in LocalStorage.
Does the website have to tell users, what and why we save it in LocalStorage?
When a user has clicked "X" on a popup, we save it in LocalStorage so that the user does not have to see the popup every time they come into the page. This is not necessary but improves the user experience. So are it considered necessary cookies or do we have to have the user consent to it?
On A/B testing, there are ways to run them without relying on cookies, and instead use a server-server integration that doesn't send any of the user information to 3rd party websites. This is accomplished by having a rules engine run locally on your own server and then only send exposure logs to the analytics service.
If you're curious, one such service with a rule-set based engine is: https://statsig.com.
Disclaimer: I work at Statsig.
I'm not sure if this is the right stack to ask this in so if not please let me know!
I am trying to get a handle on what cookies are used on a site and what they are for. When I initially did a cookie scan I noticed a cookie names NID which was set by google.
I have tried to research this cookie and can see it is used by Google for advertising purposes.
But I am confused about why and where this is being set, the site I am looking at does not use advertising anywhere, although it does use embedded YouTube videos.
Can anyone shed any light on when and why this cookie is set?
according to Google
Most Google users will have a preferences cookie called ‘NID’ in their browsers. A browser sends this cookie with requests to Google’s sites. The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language (e.g. English), how many search results you wish to have shown per page (e.g. 10 or 20), and whether or not you wish to have Google’s SafeSearch filter turned on.
For me, the cookie was hammered incessantly by the url https://www.google.com/s2/favicons?domain=example.org Which was being used by CookieBro & FeedBro RSS feeder browser addons for retrieving icons associated with various domains. The cookie can be dropped by either an addon or by google itself.
I used cookie log via cookiebro addon for firefox & chrome to detect these cookies in realtime, its one of a kind. However I did not realize it was cookiebro dropping them until the next step below.
To see what background connection is occuring when these cookies are placed, enter the following firefox url: about:cache?storage=disk&context= and you will see when and where the google url being connected to.
It is said this cookie is for targeting & ADS and the google's settings are integrated to make the cookie inconvenient to delete for Google users.
I work for an e-commerce site. Part of what we do is to offer customized items to some clients. Recently some non-technical management promised that we could incorporate our check-out process into one such client's website. The only way we've figured out how to do this is by using an iframe (I know, I don't like it either). The issue is that most customers of this site are unable to check out because we use cookies to determine which custom items to display. Browsers are recognizing our cookies as third party and almost everybody has third party cookies turned off, as they should. I'm going to be shocked if the answer is yes, but is there any workaround for this? ie can the site hosting our iframe somehow supply the necessary cookie?
Try an invisible, interstitial page.
Essentially the hosting site would issue a redirect to a site within your domain, which is then free to set cookies (because at this point is is actually the first party). Then your site immediately redirects back to the hosting site. At this point your newly-created cookies will be invisible to the hosting site but visible to your iFramed page henceforth.
Unfortunately the hosting site will have to do this every time a cookie is to be updated but the double-redirect can happen so quickly they'll hardly notice. Hopefully your system only needs the cookies to be set once.
Instead of using a cookie, pass the information in the each url request as name/value pairs.
It is a bit of a pain to add the name/value to every url...I know...oh well...it will work.
I'm going to be shocked if the answer is yes, but is there any workaround for this? ie can the site hosting our iframe somehow supply the necessary cookie?
Your iframed page itself, which is the third party in this scenario, could send a P3P Cookie Policy header – some browsers then accept third-party cookies by default, whereas others (mainly Safari) will not be convinced to do so at all if not by the user manipulating the default settings themselves.
What you could also do, is pass the session id not (only) by cookie, but as a GET or POST parameter as well – f.e. under PHP this can be done quite easily by configuring the session options. You should consider if that’s worth the slightly increased risk of session stealing.
The interstitial page solution should work but it might be a lot of trouble for your hosting site, so here's another solution that will allow you to work cookieless.
Write an HttpModule that responds to the BeginRequest event, reads the querystring, and inserts corresponding cookie headers into the Context.HttpRequest object (Note: you can't use AddCookie, you have to use AddHeader, because cookies added by a module directly are disposed of before they hit your application proper). That way the hosting site can simply issue a request (within the iFrame) that contains the necessary value in the querystring, the module will convert it into a cookie (that only exists in memory, not on the wire), and your application will be deceived into thinking that there's a cookie there. No code changes required, you just need to add the module in web.config.
This only works if you are using IIS 7.0+ in integrated pipeline mode. If you're on an earlier version of IIS or if you have to run in classic mode, you'll need an ISAPI filter instead.
Ryan , John
For the Chrome v80 update with SameSite flags, want to set the samesite=none;secure for the site hosting our iframe and somehow supply the necessary samesite=none;secure cookie. We have apache 2.2 and tomcat 6 setup, so would appreciate a solution and advice on how to make it work. Currently with flag enabled the iFrame is not punching out successfully.
Thanks