Hacker News new | comments | show | ask | jobs | submit login

In Chrome 15 there's a flag (in about:flags) to disable third-party cookies from being read:

  Block all third-party cookies.

  When the option to block third-party cookies from being set 
  is enabled, also block third-party cookies from being read.
(Don't forget to activate blocking in Preferences > Under The Hood > Content Settings... > Cookies.)

But then some sites stop working, like Twitter and even some parts of Google :(

Could you elaborate?

I routinely run with only direct cookies permitted (no third party ones) and with all cookies except those I have explicitly whitelisted being deleted each time my browser is closed.

I am not aware of any problem this has caused me for a long time, including on the sites you mentioned. Maybe there is some useful feature I'm not seeing at all because of the cookie restrictions I impose, but maybe they've just got better over time at not relying on cookies for things they shouldn't?

> maybe they've just got better over time at not relying on cookies for things they shouldn't?

It may be that. I just tried and Twitter is working perfectly without third-party cookies. Some months ago it didn't allow me to login.

With Google I had a similar problem, I couldn't login into my Google Account in sites that weren't the search engine (Docs, YouTube, etc). I just tried them, and again, it seems that it works now.

I use Chrome stable. Maybe something changed in the management of third-party cookies in recent releases?

I would suspect it has something to do with Safari (Mobile at least) having third party cookies disabled by default.

Safari help says "Select to reject cookies from advertisers and from “third parties”—websites other than those you open. This might help prevent certain advertisers from storing cookies on your computer."

This might mean that they reject third-party cookies from being set, but not from being read. That is, once you get a cookie (e.g. signed in to Facebook), every other request to Facebook (even if it's through the "Like" button) will also send your cookie.

The flag that appeared in the latest Chrome beta specifically disables sending of cookies to third parties, even if you have them.

The +1 Chrome extension (https://chrome.google.com/webstore/detail/jgoepmocgafhnchmok...) doesn't work with third-party cookies disabled.

I use Safari and that is the default setting, and I have not had any issues at all ... could you provide more information?

Isn't Safari's option the same as Chrome's main "Block third-party cookies from being set"?

Chrome's about:flags option also blocks third-party cookies from being read.

Thanks for the tip! Anything equivalent for Firefox (and maybe IE and Opera too)?

In the Firefox preferences go to the Privacy tab and select Use Custom Setting for History in the History section. From there you will see the check box to accept 3rd party cookies. Keep in mind this will prevent webmasters from using things like Google Analytics. Which you may want anyway but I thought it was worth mentioning.

Are you sure that setting "Accept cookies" to "off" will prevent third-party sites from reading cookies as well?

Based on the small amount of testing I did on couple versions of Firefox, disallowing third party cookies means only websites you are directly visiting can read or write any cookies.

So if you go to facebook.com and it sets some cookies and later you go to somerandomblog.com that has some images from facebook.com, Firefox will not send cookies to facebook.com, since you are not visiting it directly.

Now obviously if somerandomblog.com has javascript from facebook.com on it, then that javascript can read cookies from somerandomblog.com and do pretty much anything it wants with that page.

Good question and I'm not sure. I would guess that if it doesn't accept them then it wouldn't read them either. The first step in the cookie transaction would be to check whether that cookie already exists (an attempt to read the cookie). It would seem easiest to stop that process at that point based on user preferences rather that just programming it to check at the actual write time.

This is all speculation though.

But once you sign in to Facebook, you have the cookie, so browser will send it if there's no read blocking.

Cookies can still be read if this is set to "off."

I use Cookie Monster (https://addons.mozilla.org/en-US/firefox/addon/cookie-monste...) as it allows more dynamic blocking of cookies.

Facebook Blocker for all common browsers: http://webgraph.com/resources/facebookblocker/

not compatible with Firefox 6.0.2

Opera: Preferences (Ctrl+F12) -> Advanced -> Cookies -> Accept cookies only from the site I visit.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact