Menu
Article here discusses tactics used by political campaigns. http://www.nytimes.com/2012/10/14/us/politics/campaigns-mine-personal-lives-to-get-out-vote.html
The part in question is quoted:
The campaigns have planted software known as cookies on voters’ computers to see if they frequent evangelical or erotic Web sites for clues to their moral perspectives. Voters who visit religious Web sites might be greeted with religion-friendly messages when they return to mittromney.com or barackobama.com.
How is that possible? I thought all modern browsers have same origin policy security where website A doesn't have access to any information about other website B, website C, etc.
The article makes it sound like a user browses:
1. presidentialcandidate.com
2. website2.com
3. website3.com
4. website4.com
5. presidentialcandidate.com
How can a cookie from visit #1 track user history and be revealed in visit #5?
998
Each origin gets its own separate storage, and JavaScript in one origin cannot read from or write to the storage belonging to another origin. Cookies use a separate definition of origins. A page can set a cookie for its own domain or any parent domain, as long as the parent domain is not a public suffix.
Cookies can track any kind of data about users, such as search and browser history, what websites they previously visited, what they googled earlier, their IP addresses, their on-site behavior such as scrolling speed, where they clicked and where their mouse hovered.
Cookies are created to identify you when you visit a new website. The web server — which stores the website's data — sends a short stream of identifying info to your web browser. Browser cookies are identified and read by “name-value” pairs. These tell cookies where to be sent and what data to recall.
Cookie tracking can be used to see a user's previous browsing activity. As long as they haven't cleared their cookies since the last time they visited your site, you should be able to see details of when they logged on, what pages they visited, and how quickly they returned after leaving.
It's true that browsers commonly won't accept or send cookies set for a different domain than the request itself. While actual implementations vary, one straightforward technique is using third-party cookies. If website2.com, website3.com and website4.com all embed resources from presidentialcandidate.com -- for example, an advertisement in an iframe, or a 1x1 pixel image -- and the user's browser accepts and sends third-party cookies, then presidentialcandidate.com can learn, through setting and retrieving of the cookie and HTTP referer headers, that the visitor has previously visited those sites.
RFC 6265 discusses the privacy implications of third-party cookies in greater detail.
It may not always be resources from presidentialcandidate.com that are enabling this process. For example, some services use cookie syncing to align cookie identifiers between services (a description of cookie syncing in one scenario).
168
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
