3

In light of 3rd party cookies being disallowed for tracking / marketing purposes, what would prevent a 3rd party from simply creating a local storage entry under child.com within an iframe (main page in URL being parent1.com), where the same child.com local storage value is available when the user browses to parent2.com that also has child.com under an iframe?

Wouldn't child.com (being an ad company or store) be able to track the user across various parent domains, where the javascript in the child.com iframe reads whatever local storage value and sends it up to child.com?

Improve this question
3
  • Advertisers generally don't have their content included in pages via iframes, so your question is largely moot. If I host an add on my site, I would most likely show a clickable image to my page, but I would never include an iframe that has the advertiser's content within it as this would be a huge security hole (as your question suggests).
    – Scott Marcus
    Commented Aug 29, 2022 at 19:28
  • 1
    @ScottMarcus Advertisers generally don't have their content included in pages via iframes - this is false. It's common to use iframes for ads, that's usually how google ads do it. You can see this if you inspect them on various websites fandom for example.
    – Konrad
    Commented Aug 29, 2022 at 19:38
  • 1
    As we approach Google experimenting with rejecting third-party cookies by default in Chrome starting January 4, 2024, answers to this question are going to be quite useful and relevant to those of us affected. developers.google.com/privacy-sandbox/3pcd
    – dossy
    Commented Dec 26, 2023 at 19:18

1 Answer 1

Reset to default
0

Using local storage does not bypass 3rd party cookie rules; It is subject to exactly the same rules as cookies are. The applicable law (the EU Electronic Privacy Directive 2002) does not specify technical measures, only the resulting impact on privacy. Cookies are simply the most common approach to user tracking, so they are what gets all the attention – especially since they are widely abused.

So it makes no difference how you achieve your tracking; you're going to need consent or some other legitimate basis for collecting the data. If you think you've found a clever technical loophole, you haven't.

Improve this answer
1
  • 3
    I am actually not trying to side-step myself, but genuinely curious about if local storage operates differently. You are referring to legal constraints in your response above - but what about browser enforced technical constraints? The latter is what my question is really about. Thx.
    – Phoeniyx
    Commented Aug 31, 2022 at 7:13

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.