9

Is it possible for a 3rd party script to write cookies to the user's computer?

For example, if affiliate.example.org includes:

<script type="text/javascript" src="http://me.example.com/cookiemonster.js"></script>

I want to provide an affiliate with a script, to hopefully write a cookie on their clients' machines; ideally we would want to control the script ourselves. However, before trying this, I just thought I would see if it is even possible.

Of course, the other option would be for us to provide the actual script for the affiliate to put directly onto their site.

Improve this question

2 Answers 2

Reset to default
7

Yes, third party scripts can write cookies, and they will appear to belong to the domain of the page itself.

You can see this if you examine the cookies of any site using Google Analytics - the content comes from a third party (Google) but the _utm prefix cookies will be on the hosting site's domain.

To write third-party cookies (i.e. where the cookie is on the domain of the third party) requires that the cookies be sent in the headers of a download from that third party, and not written by JS code.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

What happenned when you tested it?

(yes, if the browser/user permits, it will record a cookie - but the domain of the cookie is determined by the domain the script was loaded from).

Improve this answer

2 Comments

Not tested yet, just doing some background research before plowing into the code. Thanks for the tips though. Much appreciate.
I think this answer is incorrect. If loading the script includes some Set-Cookie HTTP headers, then those will be set in the script's domain, subject to third party cookie controls. If the script itself sets cookies, they'll be in the original site's domain.