Abstract
In this paper we analyze the support currently provided by the most-widely used web browsers for managing cookies. To carry out our study we have first designed an experiment, and then we have carried out this experiment in each of the selected web browsers—or, more precisely, in each of the configurations related to cookies currently supported by each of the selected web browsers. The main take-away from this experiment is that the current trend among web browsers of leaving the responsibility of handling cookies to the browsers’ end-users is not practical (and, therefore, not effective), simply because the understanding required for setting up the browsers’ configurations related to cookies is beyond what can be reasonably expected from typical browsers’ end-user. In addition, we have carried out a survey whose preliminary results seem to validate the main conclusion from our experiment.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Following the IMG-tag, other tags were later added to HTML in order to embed or execute different types of subresources in the context of a document, including: script, frame, video, audio, iframe, link, and form.
- 2.
The name “cookie” was chosen after the Computer Science term magic cookie. A “magic cookie” is some information passed between routines or programs that enables the receiver to perform some operation, which could not be performed without it.
- 3.
In 1996, the media started reporting on the cookies potential threat to privacy. The concerns rightly raised from the fact that cookies were storing private information on the users’ computers without their knowledge or consent.
- 4.
There are different methods for the website B to install the third-party cookie \({ ck}\) in the user’s browser when the user is visiting the website A. The basic method, however, consists in the website A making a request (JavaScript files, images, fonts, CSS files, etc.) to the website B when the user is visiting the website A. Along with the response, the website A will receive from the website B the “third-party” cookie ck, which will be then installed in the user’s browser.
- 5.
- 6.
As it is well-known, CPPA [15], ePR [12], and GDPR [13] impose serious penalties to the websites that fail to notify their visitors of the usage of cookies. More specifically, they require the websites to inform their visitors about the data that will be collected using cookies, and about the websites with which the data will be shared using the cookies.
- 7.
From the Mozilla Web Docs [21]: “Firefox ships with a list of sites which have been identified as engaging in cross-site tracking of users. When tracking protection is enabled, Firefox blocks content from sites in the list.” From Safari’s Help [5]: “Some websites use third-party content providers. A third-party content provider can track you across websites to advertise products and services.”.
- 8.
In Edge, the configuration “tracking prevention: balance” sets on the option “allow sites to save and read cookie data” and off the option “block third-party cookies”.
References
Raggett on Html 4. Addison Wesley Longman
Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., Diaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 674–689. Association for Computing Machinery (2014). https://doi.org/10.1145/2660267.2660347
Andreessen, M.: NCSA Mosaic for X 0.10. https://groups.google.com/g/comp.windows.x/c/fMl2xRqLvRk/m/58RdTW0v3n8J
Apple Developer Documentation: Safari 13.1 release notes (2020). https://developer.apple.com/documentation/safari-release-notes/safari-13_1-release_notes
Apple Support: Prevent cross-site tracking in Safari on Mac (2021). https://support.apple.com/en-vn/guide/safari/sfri35610/mac
Barth, A., Westhoff, D., Wilton, M.: HTTP state tokens (2019). https://datatracker.ietf.org/doc/draft-ietf-httpbis-rfc6265bis/12/
Barth, A., Westhoff, D., Wilton, M.: HTTP state tokens (2023). https://datatracker.ietf.org/doc/draft-ietf-httpbis-rfc6265bis/10/
Barth, A.: HTTP state management mechanism. Technical report RFC 6265, RFC Editor (April 2011), https://datatracker.ietf.org/doc/rfc6265/
Cahn, A., Alfeld, S., Barford, P., Muthukrishnan, S.: An empirical study of web cookies. In: Proceedings of the 25th International Conference on World Wide Web - WWW ’16, pp. 891–901 (2016). https://doi.org/10.1145/2872427.2882991
CERN Accelerating Science: Line mode browser available at CERN. https://timeline.web.cern.ch/line-mode-browser-available-cern
Demir, N., Theis, D., Urban, T., Pohlmann, N.: Towards understanding first-party cookie tracking in the field, February 2022. https://arxiv.org/abs/2202.01498
European Commission: Proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), January 2017. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52017PC0010
European Parliament and Council of the European Union: Regulation (eu) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), April 2016. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX/3A32016R0679
Gomez, G., Yalaju, J., Garcia, M., Hoofnagle, C.: Cookie blocking and privacy: first parties remain a risk. Ptolemy Project (2010). https://ptolemy.berkeley.edu/projects/truststc/education/reu/10/Papers/GomezG, YalajuJ_paper.pdf
Innovation, S., Canada, E.D.: Consumer privacy protection act (2022). https://ised-isde.canada.ca/site/innovation-better-canada/en/consumer-privacy-protection-act. Accessed 04 Jan 2023
JISC Legal Information: EU Cookie Directive - Directive 2009/136/EC, April 2010. https://www.jisc.ac.uk/guides/eu-cookie-directive
Krishnamurthy, B., Wills, C.: Privacy diffusion on the web: a longitudinal perspective. In: Proceedings of the 18th International Conference on World Wide Web, pp. 541–550. ACM (2009)
Lou, M.: Persistent client state in a hypertext transfer protocol based client-server system. https://worldwide.espacenet.com/publicationDetails/biblio?locale=en_EP&FT=E&CC=US&NR=5774670&KC=
Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. Technical report, Purdue University, February 2009. https://www.cs.purdue.edu/homes/ninghui/papers/csrf_fc09.pdf
Mayer, J.R., Mitchell, J.C.: Third-party web tracking: policy and technology. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, pp. 413–427. IEEE Computer Society (2012)
Mozilla Developer Network: Firefox tracking protection (2021). https://developer.mozilla.org/en-US/docs/Web/Privacy/Firefox_tracking_protection
Mozilla Developer Network: Set-cookie (2021). https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
Çınar, N., Ateş, S.: Data privacy in digital advertising: towards a post third-party cookie era. In: Filimowicz, M. (ed.) Privacy: Algorithms and Society. Routledge (2022). https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4041963
Rosenberg, M., Confessore, N., Cadwalladr, C.: How Trump consultants exploited the Facebook data of millions, March 2018. https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html
Satariano, A.: Google is fined \$57 million under Europe’s Data Privacy Law. The New York Times, January 2019. https://www.nytimes.com/2019/01/21/technology/google-europe-gdpr-fine.html
Schneider, J.: Verizon’s ‘custom experience’ will now track you unless you opt out, January 2022. https://petapixel.com/2022/01/05/verizons-custom-experience-will-now-track-you-unless-you-opt-out/
Schuh, J.: An update on testing the privacy sandbox to sustain a healthy web, August 2021. https://blog.google/products/chrome/update-testing-privacy-sandbox-web/
Singer, N., Conger, K.: Google is fined \$170 million for violating children’s privacy on YouTube (2019). https://www.nytimes.com/2019/09/04/technology/google-youtube-fine-ftc.html
Soltani, A., Canty, S., Mayo, Q., Thomas, L., Hoofnagle, C.J.: Flash cookies and privacy, August 2009. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862
Statcounter Global Stats: Desktop browser market share worldwide (2023). https://gs.statcounter.com/browser-market-share/desktop/worldwide
Wang, X., Wang, H., Chen, S.: Cookie poisoning in web based applications. In: Proceedings of the 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service, pp. 258–263. IEEE (2005)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Web-Browsers’ Configurations for Managing Cookies
The content of this Appendix is a compilation of the information provided by the browsers themselves. We do not claim any authorship with respect to the content of this Appendix. We include this Appendix only to facilitate the readers the understanding of our experiment.
1.1 A.1 Chrome and Opera
It currently provides the following basic configurations:
-
Allow all cookies. Sites can use cookies to improve the browsing experience, for example, to keep the user signed in or to remember items in the user’s shopping cart. And the sites can use cookies to see the user’s browsing activity across different sites, for example, to personalize ads.
-
Block third-party cookies in Incognito. (or Private Mode in Opera) Sites in “normal” mode can use cookies to improve the user’s browsing experience, for example, to keep the user signed in or to remember items in the user’s shopping cart. While in the “Incognito” mode or “Private” mode, sites can’t use cookies to see the user’s browsing activity across different sites, for example, to personalize ads. Features on some sites may not work.
-
Block third-party cookies. Block all cookies which have different origins than the current top navigation. “Has different origins” means that the requests comes from a URL different from the current top navigation, even if the cookie is associated with the target of the request.
-
Block all cookies. Block all the cookies no matter where it comes from.
1.2 A.2 Firefox
It currently provides the following basic configurations:
-
Standard. Block social media trackers, cross site tracking cookies, cross site cookies in “Private” windows, tracking content in “Private” windows, cryptominers, and fingerprinters.
-
Strict. Block social media trackers, cross site cookies in all windows (includes tracking cookies), tracking content in all windows, cryptominers, fingerprinters.
-
Custom. The user can choose among the following “customized” configurations:
-
Block cross-site tracking cookies;
-
Block Cross-site tracking cookies and isolate other cross-site cookies;
-
Block cookies from unvisited website: Block all the third-party cookies from sites you have not visited as a first-party.
-
Block all third-party cookies
-
Block all cookies
-
Enhanced Tracking Protection. To enhance privacy protection for users but limit the effect on users’ experience, Firefox also provides a function, namely Enhanced Tracking Protection. With this feature on, when a user access a website, all the “tracking” sites are blocked (e.g., tracking content, fingerprinters, social media trackers, cross-site tracking cookies, and cryptominers) Users can have the information of these blocked sites. This feature was included in the Standard mode (only in Private Windows), Strict mode (in all windows) and Custom mode (in all windows or in Private Windows). However, if the site can not work, you can turn off this feature only for your visiting site.
This feature is easy to use and does helpful for protecting user privacy. However, compared to the Edge, this one has a bit less security. Though users can see the information of every “tracking” things, but they only can choose to allow all or reject all by turning on or turning off the Enhanced Tracking Protection, respectively.
1.3 A.3 Safari
It currently provides the following basic configurations:
-
Prevent cross-site tracking. Unless you visit and interact with the third-party content provider as a first-party website, their cookies and website data are deleted.
-
Block all cookies (also Prevent cross-site tracking). Select “Block all cookies” to disable cookies. This may prevent some websites from working properly.
-
Allow all cookies (deselect Prevent cross-site tracking and deselect Block all cookies). Websites, third parties, and advertisers can store cookies and other data on your Mac.
1.4 A.4 Microsoft Edge
It currently provides the following basic configurations:
-
Allow sites to save and read cookie data. When on, sites can store and read cookies on your PC.
-
Allow sites to save and read cookie data + Block third-party cookies. When on, sites cannot use cookies that track you across the web. Features on some sites may break.
-
Besides these basic configurations, user can choose one of the following tracking prevention option:
-
Basic: Allow most trackers cross all sites and blocks know harmful trackers
-
Balanced: Block trackers from sites you haven’t visited. Blocks know harmful trackers
-
Strict: Blocks a majority of trackers from all sites. Blocks known harmful trackers
-
B Survey’s Questions
-
1.
What is your age group?
-
2.
How much familiar are you with the Internet?
-
3.
How often (on average) do you use the Internet to look for information (including news, places, promotions, events, etc.)
-
4.
How often do you use the Internet to buy items? (foods,products, tickets, items, etc., )
-
5.
Have you ever had the feeling that a website you are visiting “knows” about your past Internet activities (including some information that you looked for, some items that you bought, some messages that you sent, etc.)
-
6.
Do you agree if a website shares information about your “usage data” (i.e., your browser activity when visiting the website) with other websites?
-
7.
When you visit a website, do you know what “usage data” about you that they are collecting?
-
8.
When a website you visit asks you to allow cookies, which option do you usually select?
-
9.
If you want to delete the cookies installed on your computer, do you know how to do it?
-
10.
What issue worries you the most when using the Internet?
-
11.
Do you always use the same browser (Chrome, Firefox, Safari, Edge, etc.) on all your devices (desktop, laptop, mobile, tablet, etc.)?
-
12.
What is the “privacy setting” you usually select in your browsers?
-
13.
Do you normally use any of the following browsers on any of your devices?
-
14.
If you want your browser to install cookies on your computer only when they are created by a website that you directly visit, which option in the “privacy settings” will you select?
-
15.
If you want your browser to install any cookies in your computer, even if they are created by a website that you do not directly visit, what option in the “privacy settings” do you have to select?
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Lam, N.C., Clavel, M. (2023). Web Browsers’ Support for Managing Cookies. An Experiment Report. In: Dang, T.K., Küng, J., Chung, T.M. (eds) Future Data and Security Engineering. Big Data, Security and Privacy, Smart City and Industry 4.0 Applications. FDSE 2023. Communications in Computer and Information Science, vol 1925. Springer, Singapore. https://doi.org/10.1007/978-981-99-8296-7_10
Download citation
DOI: https://doi.org/10.1007/978-981-99-8296-7_10
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8295-0
Online ISBN: 978-981-99-8296-7
eBook Packages: Computer ScienceComputer Science (R0)