Wednesday, July 11, 2007

Party cookies - first or third-context

pencil icon, that"s clickable to start editing the post

Internet Explorer 6+ (IE) has default privacy policy to block third party cookies in ex. iframe's. How exactly is first and third party defined and thereby how can this obstacle be overcome?

In the Microsoft Windows XP article Understanding cookies the description is:

A first-party cookie either originates on or is sent to the Web site you are currently viewing. These cookies are commonly used to store information, such as your preferences when visiting that site.

A third-party cookie either originates on or is sent to a Web site different from the one you are currently viewing. Third-party Web sites usually provide some content on the Web site you are viewing. For example, many sites use advertising from third-party Web sites and those third-party Web sites may use cookies. A common use for this type of cookie is to track your Web page use for advertising or other marketing purposes. Third-party cookies can either be persistent or temporary.

The definition for first-party is the Web site you are currently viewing, and reading it like this it seems that there is just one first-party and the rest i third-party. But that's not true, well that depends on how you interpret it, because the most precise definition that I've found is in Privacy in Internet Explorer 6 in the section First and Third-Party Context:

Internet Explorer 6 defines first-party content as content associated with the host domain. Third-party content originates from any other domain. For example, suppose a user visits by typing this URL in the address bar, and has a banner ad on this page. If these two sites set cookies, the cookies from are in a first-party context while the cookies from are in a third-party context.

Often commercial Web pages are an amalgamation of first- and third-party content. The Internet Explorer 6 privacy features distinguish between first- and third-party content. The underlying assumption is that users have a different relationship with first parties than with third parties. In fact, users might not be aware of the third party or be given a choice of whether to have a relationship with it. For this reason, default privacy settings for third parties are more stringent than for first parties.

but it's in the associated note it's written crystal clear:

The URLs and both contain the same minimal domain, Content that shares the same minimal domain as the host domain is considered first-party content. Likewise, cookies set from these domains are considered first-party cookies. Minimal domains must have the same top-level domain (TLD). Some common examples of TLDs are .com, .net, and .org.

I haven't heard the term minimal domain before but it's ituitive to understand. It matches (sort of) the definition of a domain cookie as defined in RFC 2965 - HTTP State Management Mechanism:

Host names can be specified either as an IP address or a HDN string. Sometimes we compare one host name with another. (Such comparisons SHALL be case-insensitive.) Host A's name domain-matches host B's if

  • their host name strings string-compare equal; or
  • A is a HDN string and has the form NB, where N is a non-empty name string, B has the form .B', and B' is a HDN string. (So, domain-matches but not

It's fair enough to expect the owner of a domain to take responsibility of all webservers/hosts on that domain, making it a domain of trust. Though be aware that the P3P privacy policy is per host (and/or subdomain) and not per minimal domain as illustrated in spywarewarrior's Internet Privacy w/ IE6 & P3P: A Summary of Findings the section First-Party vs. Third-Party.

Next I'll have a quick look at P3P.