Wilder's cookies gurus_this claim Google Analytic can read 1st party cookie across domains?

Discussion in 'privacy general' started by phkhgh, Dec 27, 2019.

  1. phkhgh

    phkhgh Registered Member

    Aug 17, 2007
    I stumbled across this by accident. Was trying to find exactly what Mozilla will use to "identify you" on their new Firefox Account login. Really didn't find anything except marketing hype.

    Fact: lots of Fx addons don't work on Mozilla sites.

    Fact: Mozilla sites allow Google Analytics (I'll use GA, ga or "_ga") to set a 1st party cookie. https://www.mozilla.org/en-US/privacy/websites/
    Mozilla says:
    Sign into Google acct? Meaning, you must have one. To opt out of Google gathering data on you? Didn't know this addon existed, developed by Google. I'd think the reason for requiring creating an acct & logging in to change some settings is fairly obvious.

    On to the question if GA cookie set on Mozilla sites really can be accessed by GA on other sites, as this site / blogger claimed. https://www.upbuild.io/blog/firefox-google-analytics-data/
    Meaning, the GA 1st party cookie isn't blocked (OK).
    [author, Mike Arnesen was using Fx 67, which may function differently than v71).

    Mike says, in Firefox, hit Shift + F9 to bring up the Storage Inspector. ... see any cookies,...(
    He shows how the UNblocked 1st party _ga cookie is set (if a site allows this in their settings).
    Now the interesting part, if still true. Mike says:
    Again, this was supposed to be a 1st party cookie. I understand this fairly well - up to a point. What I don't know is whether the "default" Fx 67 settings he used did block GA's 3rd party but not their 1st party cookies.

    What do Wilder's resident gurus think of this? If you don't have everything set to block and google sets 1st party cookies on mozilla sites, is it ever possible for Google to read the cookie across multiple sites? We know Google gets preferential treatment.

    In Privacy & Security under enhanced tracking, I have "Custom" checked w/ "cookies from unvisited sites; "Tracking content - In all windows" checked.
    The other 2 options are checked.
    Also, in about:config, "privacy.firstparty.isolate" = true. I think that was default in Fx 67.

    With those settings (which will break some features on some sites), I see no _ga cookie set - logging into //support.mozilla.org. I had to uncheck "Tracking content" under Custom security section. Then 3 GA cookies were set.

    Before going to other sites, I re-checked under Custom security, Tracking content [NOTE: when that is unchecked / re-checked, it defaults to "only in private windows" (private browsing - so be mindful).

    Went to Amazon, Google.com then back to Mozilla (so I could see the original GA cookies set there, to see if "Last accessed" time had changed (I didn't re-load Mozilla).
    It hadn't, but I'm not sure what would've happened if I didn't re-check the Security & Privacy > Custom settings to "full lock down" before visiting the other sites.

    But I noticed something interesting in one of mozilla.org's source code: It said "Github secret," with a long, random alpha-numeric string. I think it was when I logged onto Mozilla's site, but couldn't find it again.
  2. Stefan Froberg

    Stefan Froberg Registered Member

    Jul 30, 2014
    Well, if you visit any site that uses Google stuff (like JavaScript files like analytics.js or the older ga.js) then of course they can see what ever persistent cookie (cookie with expiration time set to non-empty) they have set. Third party or not.

    That's why most people here use uBlock Origin and other stuff to block the ***** out


    From that https://www.mozilla.org/en-US/privacy/websites/ :

    "We may use cookies, clear GIFs, third party analytics etc..."

    Clear gifts are usually transparent 1x1 size pixels that only purpose is tracking and setting cookies. So not looking too good....
    Last edited: Dec 27, 2019
  3. 142395

    142395 Guest

    Note javascript can access any cookies that the publisher didn't set HttpOnly property. You see this was not set to GA cookie in your linked blog, so it's no wonder it was accessed by someone. This is just one reason among many why tracking script is much more problematic than any other forms of trackers.

    Sorry for nit-picking, but this is wrong in general. There are two other uses for 1x1 clear gif: 1) spacer, to slightly adjust layout of contents, and 2) lazyload, it's a replacement of a large image so that a site first loads 1x1 gif to reduce loading time and only after user scrolled to the position real image is loaded. Some personally maintained filters on Github (among too many) don't distinguish them and blocks all 1x1 gif w/out knowing it breaks site layout slightly and causes worse performance.
    Last edited by a moderator: Dec 28, 2019
  4. bo elam

    bo elam Registered Member

    Jun 15, 2010
    I have most trackers from Google (including google-analytics.com) set as Untrusted in NoScript. As far as I can remember, I never had to allow GA to run to get the content I wanted in any site. Is never needed for getting content that's desirable. Of all the trackers from Google that I blacklist (you can see what they are in the picture below), the only one I found that might have some usefulness (very rare) is googleusercontent.com.

    Sin título.jpg

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.