Securing Third Party Cookies

Safari has “Prevent cross-site tracking” by default
<script src="https://advertiser.tld/api/v1/api.js"
function add_access_control_headers(req, headers){
headers['Access-Control-Allow-Origin' ] =
headers['Access-Control-Allow-Methods'] =
headers['Access-Control-Allow-Headers'] =
'Content-Type, X-Requested-With, Cache-Control';
headers['Access-Control-Allow-Credentials'] = 'true';
Set-Cookie: user_id=foo; Path=/; Domain=provider.tld; Max-Age=86400; Secure; SameSite=None;
// server code
function get_cookie_handler(req, res){

var headers = { 'Content-Type': "application/json" };
add_access_control_headers(req, headers);
res.writeHead(200, headers);
var cookies = parse_cookies(req);
res.write({user_id: cookies['user_id']})
// browser code
function get_cookie(){
var url = "https://advertiser.tld/api/v1/cookie";
return fetch(url).then(r => r.json()).then(r => r.user_id);
<!-- get_cookies.html: load this page in an iframe --><!doctype html>
var value = get_cookie('user_id');
message: "advertiser_cookies",
cookies: {
user_id: get_cookie('user_id')
// add additional cookies to expose
}, "*");
function get_cookie(name) {
var parts = ("; "+document.cookie).split("; "+name+"=");
if (parts.length === 2) return parts.pop().split(';').shift();
function create_iframe(url){
var iframe = document.createElement("iframe");
iframe.setAttribute("sandbox", "allow-scripts allow-same-origin");
iframe.src = url; = 'none';
return iframe;
function get_cookies(){  var url="https://advertiser.tld/get_cookies.html";
var iframe = create_iframe(url);

return new Promise(function(resolve){
function handler(event){
var data =;
if (typeof data === 'object' && data !== null){
if (data.message=='advertiser_cookies'){
return true;
return false;
window.addEventListener("message", handler);
async function test(){
var cookies = await get_cookies();
// server issues cookie
var cookie = generate_random_string(32);
await record_issued_cookie(cookie.substr(0,16), cookie);
headers['Set-Cookie'] = `user_id=${cookie}; ...`
// server verify
var cookie = get_cookie(req, 'user_id')
var lookup = cookie.substr(0,16)
var check = cookie.substr(16);
var original = await get_issued_cookie(lookup);
var auth = null;
if (original == cookie){
auth = "full";
} else if (check == sha256(original.substr(16)).substr(0,16)){
auth = "embedded";




The course of history is determined by the spreading of ideas. I’m spreading the good ones.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Brain Teaser Extreme Hack Free Resources Generator

Ahold-Delhaize and how bug bounty reports should be handled

Scammers Stole $14 billion in Crypto in 2021.

2021 Lossless Games: $10,000 of LSS in prizes — Round 1 Results

U.S. Department of Defense (DoD) Approves CompTIA Cybersecurity Analyst: Why It Matters

Avoid scam and Unprofitable projects today by simply choosing your dapps from @thedapplist, we…

Loopy Times: November 8, 2021

FAQ Series: What is Web3 Publishing?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Boris Reitman

Boris Reitman

The course of history is determined by the spreading of ideas. I’m spreading the good ones.

More from Medium

Prototype Pollution HIGH vulnerability in ‘mixme’ NPM package

One Ring to rule them all, and in darkness bind them

Quick Thought — Why the fanaticism regarding programming languages?

Updating contents of GitHub repositories via Ruby