So, you want to detect browser cookie third party support.
What is third-party cookies
Basically, third-party cookies are cookies that are set by a website other than the one you are currently on. For example, ctomczyk.pl might have a Twitter like button. That button will set a cookie that can be read by Twitter. That would be considered a third-party cookie.
Some browsers (from specific versions), like Firefox and Safari, have this option disabled by default. However, see page “How to enable third-party cookies in your web browser” to get information’s how to enable third-party cookies in some browsers.
Potential options to detect if browser support third-part cookies
How to detect if browser allow to set third-party cookies or not? There is some options.
- Use
iframeandwindow.postMessagemethod (cross-origin communication) to check if third-party cookies can be set. - Use server-side solution.
I prefer server-side solution. The proof of concept is here: http://www.ctomczyk.pl/lab/3rd_party_cookie/feature_detection.html.
How it works?
Basically, I load script file from other domain than site is currently on. In my example it is from domain jscode.info. On server-side I setting the cookie and make a redirect to the server where I read the cookie and echo the script method with result. So, first step is to get script on server side (see method loadJS in source code of above proof of concept URL) that contains PHP (in this case I use PHP on server-side) code:
setcookie('3rdparty_test', true, time() + (60 * 5)); // 1 minute
$url = (!empty($_SERVER['HTTPS'])) ? "https://".$_SERVER['SERVER_NAME'].dirname($_SERVER['PHP_SELF']) : "http://".$_SERVER['SERVER_NAME'].dirname($_SERVER['PHP_SELF']);
header('p3p: CP="CAO PSA OUR"');
header('Location: ' . $url .'/getresult/testcookie.php');
exit;
and redirect to file where I read the cookie and echo the name of global method which will be called after response from server:
header('p3p: CP="CAO PSA OUR"');
header("content-type: application/x-javascript");
echo "
(function () {
";
if (isset($_COOKIE['3rdparty_test']) && !empty($_COOKIE['3rdparty_test'])){
$cookie_value = 'true';
} else {
$cookie_value = 'false';
}
echo "
window.is3rd_cookie(" . $cookie_value . ");
}());
";
Actually, it works in the same way as JSONP requests. Except that I do one redirect.
Note: IE requires you to set a P3P policy before it will allow third-party frames to set cookies, under the default privacy settings.
Darin, 26 May 2014
Nice solution. Could you please elaborate a little more about the first approach using iframe and window.postMessage?
Cezary Tomczyk, 28 May 2014
Thanks. As for first approach:
1. Create iframe.
2. Load page from different domain with client-side code that: 1) sets the cookie, 2) read the cookie and send the results to the parent using postMessage.
Very similar to http://stackoverflow.com/a/13887769/896702
Lucas, 19 January 2018
Hi!
This article is very useful, but seems kind of obsolete
(http://www.ctomczyk.pl/lab/3rd_party_cookie/feature_detection.html)
(http://www.jscode.info/lab/3rdcookie/3rdtest.php)
If you can update it with some functional tools it would be awesome.
Thanks!
Cezary Tomczyk, 21 April 2018
I’d be glad to update it, but I’d need to know what is obsolete there.