Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

COOKIEGUARD: Characterizing and Isolating the First-Party Cookie Jar

Pouneh Nikkhah Bahrami, Aurore Fass, Zubair Shafiq

TL;DR

This work addresses the risk that first-party cookies are exploited by cross-domain main-frame scripts as third-party cookies are curtailed. It delivers the first large-scale measurement across 20,000 sites, revealing widespread cross-domain exfiltration (≈%56) and integrity violations (≈%32 overwrites/deletes) of first-party cookies, and proposes CookieGuard, a per-script-origin isolation mechanism implemented as a browser extension. CookieGuard effectively blocks cross-domain cookie interactions, incurring about 0.3 seconds of average page-load overhead and causing SSO disruption on about 11% of sites; domain-based whitelisting reduces breakage to roughly 3%. The study highlights core weaknesses in current browser models and offers a practical, deployable defense that strengthens cookie ownership semantics while acknowledging limitations and avenues for future refinement.

Abstract

As third-party cookies are being phased out or restricted by major browsers, first-party cookies are increasingly repurposed for tracking. Prior work has shown that third-party scripts embedded in the main frame can access and exfiltrate first-party cookies, including those set by other third-party scripts. However, existing browser security mechanisms, such as the Same-Origin Policy, Content Security Policy, and third-party storage partitioning, do not prevent this type of cross-domain interaction within the main frame. While recent studies have begun to highlight this issue, there remains a lack of comprehensive measurement and practical defenses. In this work, we conduct the first large-scale measurement of cross-domain access to first-party cookies across 20,000 websites. We find that 56 percent of websites include third-party scripts that exfiltrate cookies they did not set, and 32 percent allow unauthorized overwriting or deletion, revealing significant confidentiality and integrity risks. To mitigate this, we propose CookieGuard, a browser-based runtime enforcement mechanism that isolates first-party cookies on a per-script-origin basis. CookieGuard blocks all unauthorized cross-domain cookie operations while preserving site functionality in most cases, with Single Sign-On disruption observed on 11 percent of sites. Our results expose critical flaws in current browser models and offer a deployable path toward stronger cookie isolation.

COOKIEGUARD: Characterizing and Isolating the First-Party Cookie Jar

TL;DR

This work addresses the risk that first-party cookies are exploited by cross-domain main-frame scripts as third-party cookies are curtailed. It delivers the first large-scale measurement across 20,000 sites, revealing widespread cross-domain exfiltration (≈%56) and integrity violations (≈%32 overwrites/deletes) of first-party cookies, and proposes CookieGuard, a per-script-origin isolation mechanism implemented as a browser extension. CookieGuard effectively blocks cross-domain cookie interactions, incurring about 0.3 seconds of average page-load overhead and causing SSO disruption on about 11% of sites; domain-based whitelisting reduces breakage to roughly 3%. The study highlights core weaknesses in current browser models and offers a practical, deployable defense that strengthens cookie ownership semantics while acknowledging limitations and avenues for future refinement.

Abstract

As third-party cookies are being phased out or restricted by major browsers, first-party cookies are increasingly repurposed for tracking. Prior work has shown that third-party scripts embedded in the main frame can access and exfiltrate first-party cookies, including those set by other third-party scripts. However, existing browser security mechanisms, such as the Same-Origin Policy, Content Security Policy, and third-party storage partitioning, do not prevent this type of cross-domain interaction within the main frame. While recent studies have begun to highlight this issue, there remains a lack of comprehensive measurement and practical defenses. In this work, we conduct the first large-scale measurement of cross-domain access to first-party cookies across 20,000 websites. We find that 56 percent of websites include third-party scripts that exfiltrate cookies they did not set, and 32 percent allow unauthorized overwriting or deletion, revealing significant confidentiality and integrity risks. To mitigate this, we propose CookieGuard, a browser-based runtime enforcement mechanism that isolates first-party cookies on a per-script-origin basis. CookieGuard blocks all unauthorized cross-domain cookie operations while preserving site functionality in most cases, with Single Sign-On disruption observed on 11 percent of sites. Our results expose critical flaws in current browser models and offer a deployable path toward stronger cookie isolation.
Paper Structure (33 sections, 9 figures, 5 tables)

This paper contains 33 sections, 9 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Security Mechanisms
  4. Inclusion of Scripts
  5. Cookie Management in Browsers
  6. Measurement Methodology
  7. Extension Instrumentation
  8. Data Collection
  9. Identifying Advertising/Tracking Scripts
  10. Analysis Framework
  11. Cross-domain First-Party Cookie Access by Third-Party Scripts
  12. Prevalence of Third-Party Scripts
  13. Usage of Cookie APIs in the Wild
  14. Prevalence of Cross-domain Cookie Interactions
  15. Cross-domain Cookie Exfiltration
  16. ...and 18 more sections

Figures (9)

  • Figure 1: Top 20 script-hosting domains involved in cross-domain cookie exfiltration, ranked by the number of unique cookies exfiltrated to third-party destinations.
  • Figure 2: CookieGuard overview
  • Figure 3: CookieGuard's components
  • Figure 4: Evaluation of cross-domain cookie interactions: Comparing regular browser behavior with and without the CookieGuard extension.
  • Figure 5: Paired distribution of DOM Content Loaded, DOM Interactive, and Load Event Time (With CookieGuard vs. No CookieGuard) with logarithmic y-axis. Blue lines show medians; boxes show interquartile range (IQR); whiskers indicate 1.5$\times$IQR; points are outliers.
  • ...and 4 more figures