I am curious about the mechanism behind how Google Analytics cookies are classified as 1st party cookies. The script tag’s src attribute points to Google’s domain, which is different from the domain of the page it’s embedded in. One hypothesis I have is that the Google Analytics JavaScript, when executed on the embedded page, generates cookies using document.cookie. Is the domain where document.cookie is executed the determining factor for whether a cookie is classified as a 1st party or 3rd party cookie?
>Solution :
Is the domain where document.cookie is executed the determining factor for whether a cookie is classified as a 1st party or 3rd party cookie?
The relevant origin for JavaScript code is the page’s origin, not the origin the script was loaded from. So yes, if a page on https://example.com uses JavaScript code loaded from https://google.com, and that code sets a cookie via document.cookie, it’s an https://example.com cookie.
Third-party cookies are created via the Set-Cookie header in a response to a request for a third-party resource. For instance, in the scenario above, if the HTTP response for the script had a Set-Cookie header, it would be trying to set a third-party cookie for https://google.com.