HTTP cookie

A session cookie, also known as an in-memory cookie, transient cookie or non-persistent cookie, exists only in temporary memory while the user navigates the website. Web browsers normally delete session cookies when the user closes the browser.

Instead of expiring when the web browser is closed as session cookies do, a persistent cookie expires at a specific date or after a specific length of time. For the persistent cookie's lifespan set by its creator, its information will be transmitted to the server every time the user visits the website that it belongs to, or every time the user views a resource belonging to that website from another website (such as an advertisement).

For this reason, persistent cookies are sometimes referred to as tracking cookies because they can be used by advertisers to record information about a user's web browsing habits over an extended period of time. However, they are also used for "legitimate" reasons (such as keeping users logged into their accounts on websites, to avoid re-entering login credentials at every visit).

An http-only cookie cannot be accessed by client-side APIs, such as JavaScript. This restriction eliminates the threat of cookie theft via cross-site scripting (XSS). However, the cookie remains vulnerable to cross-site tracing (XST) and cross-site request forgery (CSRF) attacks. A cookie is given this characteristic by adding the HttpOnly flag to the cookie.

Normally, a cookie's domain attribute will match the domain that is shown in the web browser's address bar. This is called a first-party cookie. A third-party cookie, however, belongs to a domain different from the one shown in the address bar. This sort of cookie typically appears when web pages feature content from external websites, such as banner advertisements. This opens up the potential for tracking the user's browsing history and is often used by advertisers in an effort to serve relevant advertisements to each user.

As an example, suppose a user visits www.example.org. This website contains an advertisement from ad.foxytracking.com, which, when downloaded, sets a cookie belonging to the advertisement's domain (ad.foxytracking.com). Then, the user visits another website, www.foo.com, which also contains an advertisement from ad.foxytracking.com and sets a cookie belonging to that domain (ad.foxytracking.com). Eventually, both of these cookies will be sent to the advertiser when loading their advertisements or visiting their website. The advertiser can then use these cookies to build up a browsing history of the user across all the websites that have ads from this advertiser, through the use of the HTTP referer header field.

But how? 好像：thefreedictionary.com有广告，查看页面源代码，里面有一句：

<script src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>

可以打开并下载该.js文件(script src是可以跨域的，不能跨域的是AJAX):

https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js

它是个165KB的JavaScript源文件，在里面查iframe有多处。

The Window.parent property is a reference to the parent of the current window or subframe. If a window does not have a parent, its parent property is a reference to itself. When a window is loaded in an <iframe>, <object>, or <frame>, its parent is the window with the element embedding the window. 然后把window们的location.href们当cookie存起来。

As of 2014, some websites were setting cookies readable for over 100 third-party domains. On average, a single website was setting 10 cookies, with a maximum number of cookies (first- and third-party) reaching over 800.

Most modern web browsers contain privacy settings that can block third-party cookies, and some now block all third-party cookies by default - as of July 2020, such browsers include Apple Safari, Firefox, and Brave. Safari allows embedded sites to use Storage Access API to request permission to set first-party cookies. In May 2020, Google Chrome introduced new features to block third-party cookies by default in its Incognito mode for private browsing, making blocking optional during normal browsing. The same update also added an option to block first-party cookies. Chrome plans to start blocking third-party cookies by default in 2022.

A supercookie is a cookie with an origin of a top-level domain (such as .com) or a public suffix (such as .co.uk). Ordinary cookies, by contrast, have an origin of a specific domain name, such as example.com.

Supercookies can be a potential security concern and are therefore often blocked by web browsers. If unblocked by the browser, an attacker in control of a malicious website could set a supercookie and potentially disrupt or impersonate legitimate user requests to another website that shares the same top-level domain or public suffix as the malicious website. For example, a supercookie with an origin of .com, could maliciously affect a request made to example.com, even if the cookie did not originate from example.com. This can be used to fake logins or change user information.

六级/考研单词: transient, navigate, website, web, norm, delete, browse, expire, persist, transmit, legitimate, log, credentials, eliminate, thief, script, vulnerable, trace, forge, domain, attribute, banner, seldom, download, embed, default, update, thereby, malignant, disrupt, affection, fake