Securing Third Party Cookies

Safari has “Prevent cross-site tracking” by default
<script src="https://advertiser.tld/api/v1/api.js"
integrity="sha256-..."
crossdomain="use-credentials"></script>
function add_access_control_headers(req, headers){
headers['Access-Control-Allow-Origin' ] =
req.headers.origin||"*";
headers['Access-Control-Allow-Methods'] =
'GET,PUT,POST,OPTIONS,HEAD,DELETE';
headers['Access-Control-Allow-Headers'] =
'Content-Type, X-Requested-With, Cache-Control';
headers['Access-Control-Allow-Credentials'] = 'true';
}
Set-Cookie: user_id=foo; Path=/; Domain=provider.tld; Max-Age=86400; Secure; SameSite=None;
// server code
function get_cookie_handler(req, res){

var headers = { 'Content-Type': "application/json" };
add_access_control_headers(req, headers);
res.writeHead(200, headers);
var cookies = parse_cookies(req);
res.write({user_id: cookies['user_id']})
res.end();
}
// browser code
function get_cookie(){
var url = "https://advertiser.tld/api/v1/cookie";
return fetch(url).then(r => r.json()).then(r => r.user_id);
}
<!-- get_cookies.html: load this page in an iframe --><!doctype html>
<script>
var value = get_cookie('user_id');
parent.postMessage({
message: "advertiser_cookies",
cookies: {
user_id: get_cookie('user_id')
// add additional cookies to expose
}
}, "*");
function get_cookie(name) {
var parts = ("; "+document.cookie).split("; "+name+"=");
if (parts.length === 2) return parts.pop().split(';').shift();
}
</script>
function create_iframe(url){
var iframe = document.createElement("iframe");
iframe.setAttribute("sandbox", "allow-scripts allow-same-origin");
iframe.src = url;
iframe.style.display = 'none';
return iframe;
}
function get_cookies(){  var url="https://advertiser.tld/get_cookies.html";
var iframe = create_iframe(url);
document.body.appendChild(iframe);

return new Promise(function(resolve){
function handler(event){
var data = event.data;
if (typeof data === 'object' && data !== null){
if (data.message=='advertiser_cookies'){
resolve(data.cookies);
return true;
}
}
return false;
}
window.addEventListener("message", handler);
});
}
async function test(){
var cookies = await get_cookies();
console.log(cookies.user_id);
}
test();
// server issues cookie
var cookie = generate_random_string(32);
await record_issued_cookie(cookie.substr(0,16), cookie);
headers['Set-Cookie'] = `user_id=${cookie}; ...`
// server verify
var cookie = get_cookie(req, 'user_id')
var lookup = cookie.substr(0,16)
var check = cookie.substr(16);
var original = await get_issued_cookie(lookup);
var auth = null;
if (original == cookie){
auth = "full";
} else if (check == sha256(original.substr(16)).substr(0,16)){
auth = "embedded";
}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store