Securing Third Party Cookies

Safari has “Prevent cross-site tracking” by default
<script src="https://advertiser.tld/api/v1/api.js"
function add_access_control_headers(req, headers){
headers['Access-Control-Allow-Origin' ] =
headers['Access-Control-Allow-Methods'] =
headers['Access-Control-Allow-Headers'] =
'Content-Type, X-Requested-With, Cache-Control';
headers['Access-Control-Allow-Credentials'] = 'true';
Set-Cookie: user_id=foo; Path=/; Domain=provider.tld; Max-Age=86400; Secure; SameSite=None;
// server code
function get_cookie_handler(req, res){

var headers = { 'Content-Type': "application/json" };
add_access_control_headers(req, headers);
res.writeHead(200, headers);
var cookies = parse_cookies(req);
res.write({user_id: cookies['user_id']})
// browser code
function get_cookie(){
var url = "https://advertiser.tld/api/v1/cookie";
return fetch(url).then(r => r.json()).then(r => r.user_id);
<!-- get_cookies.html: load this page in an iframe --><!doctype html>
var value = get_cookie('user_id');
message: "advertiser_cookies",
cookies: {
user_id: get_cookie('user_id')
// add additional cookies to expose
}, "*");
function get_cookie(name) {
var parts = ("; "+document.cookie).split("; "+name+"=");
if (parts.length === 2) return parts.pop().split(';').shift();
function create_iframe(url){
var iframe = document.createElement("iframe");
iframe.setAttribute("sandbox", "allow-scripts allow-same-origin");
iframe.src = url; = 'none';
return iframe;
function get_cookies(){  var url="https://advertiser.tld/get_cookies.html";
var iframe = create_iframe(url);

return new Promise(function(resolve){
function handler(event){
var data =;
if (typeof data === 'object' && data !== null){
if (data.message=='advertiser_cookies'){
return true;
return false;
window.addEventListener("message", handler);
async function test(){
var cookies = await get_cookies();
// server issues cookie
var cookie = generate_random_string(32);
await record_issued_cookie(cookie.substr(0,16), cookie);
headers['Set-Cookie'] = `user_id=${cookie}; ...`
// server verify
var cookie = get_cookie(req, 'user_id')
var lookup = cookie.substr(0,16)
var check = cookie.substr(16);
var original = await get_issued_cookie(lookup);
var auth = null;
if (original == cookie){
auth = "full";
} else if (check == sha256(original.substr(16)).substr(0,16)){
auth = "embedded";



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Boris Reitman

Boris Reitman


The course of history is determined by the spreading of ideas. I’m spreading the good ones.