25
votes

Suppose I have a site at www.example.com which has an IFRAME pointing to ASP.NET site myapp.othersite.com - this causes issues with session and 3rd-party cookies which I understand.

If I moved the embedded app to myapp.example.com, would the session cookie still count as a 3rd-party cookie as it is a different subdomain?

3

3 Answers

19
votes

Cookies seem to be considered 3rd party if they come from different base domains (base domains being example.com or example.co.uk), but not if they come from different subdomains of the same base domain.

myapp.example.com will be able to set cookies with domain myapp.example.com if it is embedded within www.example.com.

Having myapp.example.com set cookies with domain .example.com is unnecessary unless those cookies need to be read from a different subdomain.

[Tested in Firefox, Chrome (with 3rd party cookies blocked) and Safari] [ThirdPartyUtil.IsThirdPartyInternal seems to be where this is checked in Firefox]

14
votes

if you set a Cookie on domain .example.com

then a cookie from www.example.com and www.myapp.example.com will be considered the same.

no cookie is treated as a 3rd party cookie.

5
votes

Assuming that the domain attribute is not set on the cookie in question, in this scenario it is indeed a third-party cookie due to the hostnames being different. However browsers who would ordinarily block third-party cookies will not block it due to the base domains being the same. So in that respect it is not treated as a third-party cookie.

I know this because I was able to successfully set and read a third party cookie when the base domain was the same and the subdomain was different while third party cookies were blocked in the latest versions of Firefox, Chrome, and Microsoft Edge's browser settings. This was true even when no domain attribute was set on the cookie. This means that Firefox, Chrome, and Microsoft Edge do not consider cookies from the same base domain to be third party cookies.

My methodology was as follows. I have two different hostnames with the same base domain but different subdomains. One of them contains two PHP files. The first sets a cookie with a random cookie name and no domain attribute and returns the name of the cookie as JSONP. The second attempts to read the cookie and then returns either true or false as JSONP. The other hostname contains an HTML file that uses AJAX to query the first PHP file that sets the cookie, and then when done, immediately uses AJAX again to query the second PHP file that tests for the existence of the cookie. I first made sure that third party cookies were being blocked by the browser before moving forward. I tested three browsers: Firefox, Chrome and Microsoft Edge. In all cases the results showed that the cookie was successfully set and read even though the cookie was from a different domain as long as the base domains were the same.

Conclusion: if a resource sets a cookie and the base domain on the resource is the same as the base domain on the web site, but the subdomain is different, popular browsers do not treat it as a third-party cookie.