1

When I visit this website, Google Analytics cookies are being sent to it from my browser along with the request.

This goes against my whole understanding of cookies which is that cookies are only sent to the site that put them there.

How is it then that cookies from Google (i.e. analytics.google.com) are sent to security.stackexchange.com ?

Google StackExchange Analytics Cookies

CodyBugstein
  • 579
  • 5
  • 12
  • You are sure this is the case, check the request header view in the Developer Tools not the cookie list to see what is actually sent. – eckes May 02 '18 at 17:09
  • 2
    Where do you see that those cookies are from analytics.google.com? Mine all have domain `.stackexchange.com`. – AndrolGenhald May 02 '18 at 17:11
  • @AndrolGenhald exactly. I don't see it specifically indicated that they are from google, but I know these types of cookies with these names and values are Google cookies – CodyBugstein May 02 '18 at 17:33

2 Answers2

5

Cookies set by scripts are always associated with the webpage's domain, not the domain that the script came from. (If this weren't the case, then it would often be easy to include a script from a remote domain and a second script which redefined global functions to trick the first script into reading or setting arbitrary cookies on the remote domain.)

Security.SE includes the google analytics javascript file in its webpages, so the script runs within Security.SE's domain and any cookies set by the script are associated with the Security.SE domain.

Macil
  • 1,482
  • 9
  • 11
  • So if everything stays on Security.SE, how does Google actually get the analytics data? Doesn't Google need the cookies to provide meaningful data ? – CodyBugstein May 02 '18 at 19:42
  • 1
    The analytics cookies never make it to Google through the HTTP cookie header. The analytics javascript just uses the cookies as storage (they probably should just use localStorage instead if present given that they don't care for the being-included-in-requests functionality of cookies), and the javascript manually includes the cookie values inside of the requests it makes to their server. – Macil May 02 '18 at 21:02
  • Are you sure about that? That would mean any third party script included in a page could read all other cookies connected to that page? This means that if Google wanted they could retrieve cookies set by any other third party service used by Security.SE . That seems strange. – CodyBugstein May 02 '18 at 22:16
  • 1
    Yes, that's true. (This is something that XSS attacks usually take advantage of.) People should be cautious about including remote scripts on web pages in their domain. If remote scripts must be used, then they could be sandboxed by only including them in a page in an iframe that is sandboxed or on an external domain. (However, that negates most of the usefulness of Google Analytics specifically.) – Macil May 02 '18 at 23:23
  • @CodyBugstein "_party script included in a page could read all other cookies_" not those marked `HttpOnly` – curiousguy Jun 20 '18 at 17:09
  • 2
    @curiousguy Note that the 3rd party script could make http requests to the domain and make use of those cookies though. Say foobank.com has its login cookies marked as HttpOnly and includes a ` – Macil Jun 20 '18 at 21:26
1

These may be google cookies, but they are most likely generated by JavaScript code, that is on your page. That is why they are sent to your page and not google.

Peter Harmann
  • 7,728
  • 5
  • 20
  • 28