[thelist] [Security] Any security risks with Lowprivacysettingin IE?

Jeff Howden jeff at jeffhowden.com
Thu Aug 7 04:00:09 CDT 2003


> From: Kelly Hallman
> I think everyone missed the "third party" cookie part.
> Third party cookies are, as I understand it, cookies set
> by site A for site B.  So in other words, I could set
> an ebay cookie from my site, and those browsers would
> take it. [...]

not exactly true.  sure, the cookie will come across in the http headers,
but the browser won't do anything with it because the domain the request is
coming from doesn't match the domain in the cookie trying to be set.

i have my browser set to prompt *all* cookies and i never see a prompt for
the ebay cookie, even though i can clearly see it in the http headers.  i
trot on over to ebay to check my cookies there and don't see the cookie

try it yourself and see what i mean.

third party cookies are actually cookies that are set by elements (images,
content in iframes, stylesheets, javascript files, etc.) that are from a
domain other than the domain of the page calling those items.  a good
example of this is foo.com has a banner ad for doubleclick.net.  the request
for that banner comes along with an attempt by doubleclick.net to set a
cookie.  because the domains don't match, that cookie falls under the rules
applied to third party cookies.

> Cookies are meant to be opaque identifiers.  They are
> certainly harmless on their own, but they are a bit
> sensitive since they often contain session tracking
> information.  If you allow a third party site to
> manipulate that data, there's some element of risk.

and you can't read the information in the cookie for foreign sites.
additionally, you can't change the value of a cookie for another domain (see


Jeff Howden - Web Application Specialist
Resume - http://jeffhowden.com/about/resume/
Code Library - http://evolt.jeffhowden.com/jeff/code/

More information about the thelist mailing list