You'll notice that for the app/routes/jokes/$jokeId.tsx route in addition to Cache-Control we've also set Vary header to Cookie. This is because we're returning something that's specific to the user who is logged in. So we want the cache to associated to that particular Cookie value and not shared with different users, so the browser and CDN will not deliver the cached value if the cookie is different from the cached response's cookie.

while with server/externalFetch there is no direct way to pass cookie headers from the original request to the external one

With httponly you only prevent to read the cookie with js, but its still possible to make requests in the name of the user.

They are on client-side, but (usually) they are HTTPOnly. Now if they are part of session, any client-side script is able to access them, and I just don't like introducing vulnerabilities knowingly. As I said above, I found a workaround that works for me and you may have different opinion from me on how much this is a risk.

Right now I am working around this issue by having an internal [...api].js, then call fetch for that endpoint (which automatically passes on cookies) and from there hit the actual external endpoint. It works, there is no risk of leaking anything, but imo shouldn't be necessary.

Sure you can abuse session but I don't like that since there is the risk of exposing credentials to client side code.

In short: storing the token in HttpOnly cookies mitigates XSS being used to get the token, but opens you up to CSRF, while the reverse is true for storing the token in localStorage.

I started off really wanting to use HttpOnly cookies

A cookie is associated with a domain. If this domain is the same as the domain of the page you are on, the cookie is called a first-party cookie. If the domain is different, it is a third-party cookie. While the server hosting a web page sets first-party cookies, the page may contain images or other components stored on servers in other domains (for example, ad banners), which may set third-party cookies. These are mainly used for advertising and tracking across the web.

I don't know how much workaround is it, but for now I'm using this approach:

This way I'm able to pass cookie back and forth, so this code kind of works:

'set-cookie': response.headers.get('set-cookie')

That said, third party cookies are subject to privacy concerns and are blocked by both browser extensions and even by some browsers themselves, so they shouldn't be relied upon.

If you do need to passthrough your mydomain.com cookies to a thirdparty.com domain, you can technically already do that now by implementing it as an endpoint and calling fetch('/my-endpoint')

I've been thinking more about how to best do this. The preferred way might be to use the same domain and have an application load balancer like nginx split traffic on the URL path (e.g. /api). This is for two reasons. Firstly, you might not necessarily want to cookie the primary/apex domain and have the cookie shared across all subdomains. You also might not want to do CORS because preflight requests add latency and CORS adds complication.

the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HttpOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.

The Web Storage API provides mechanisms by which browsers can store key/value pairs, in a much more intuitive fashion than using cookies.

This kind of cookie-based data collection happens elsewhere on the internet. Giant companies use it as a way to assess where their users go as they surf the web, which can then be tied into providing better targeted advertising.

For instance, Google’s reCaptcha cookie follows the same logic of the Facebook “like” button when it’s embedded in other websites—it gives that site some social media functionality, but it also lets Facebook know that you’re there.

one of the ways that Google determines whether you’re a malicious user or not is whether you already have a Google cookie installed on your browser.

In particular, if you set this parameter to true, our solution creates a technical cookie on iubenda.com (domain) which is used when the cookie on the local domain is not found.

Importance of declaring the cookie domain: When you clean up the cookies (like in the example above for on_reject) is important to set the domain that this cookies belongs. In some cases this external scripts could add the cookie on your subdomain or your base domain. In out case we found that some cookies are generated on panel.preyproject.com or .panel.preyproject or just preyproject.com.

A real-world example of this would be an e-commerce site that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the technical cookies are both necessary for the functioning of the purchasing service and are explicitly requested by the user when they indicate that they would like to add the item to the cart. Do note, however, that these session-based technical cookies are not tracking cookies.

Implementing prior blocking and asynchronous re-activation Our prior blocking option prevents the installation of non-exempt cookies before user consent is obtained (as required by EU law) and asynchronously activates (without reloading the page) the scripts after the user consents.To use, you must first enable this feature: simply select the “Prior blocking and asynchronous re-activation” checkbox above before copy and pasting the code snippet into the HEAD as mentioned in the preceding paragraph.

Allows you to autodetect and limit prior-blocking and cookie consent requests only to users from the EU – where this is a legal requirement – while running cookies scripts normally in regions where you are still legally allowed to do so.

Enables the blocking of scripts and their reactivation only after having collected user consent. If false, the blocked scripts are always reactivated regardless of whether or not consent has been provided (useful for testing purposes, or when you’re working on your project locally and don’t want pageviews to be counted). We strongly advise against setting "priorConsent":false if you need to comply with EU legislation. Please note that if the prior blocking setting has been disabled server side (via the checkbox on the flow page), this parameter will be ineffective whether it’s set to true or false.

Strictly necessary (id 1). Purposes included:Backup saving and managementHosting and backend infrastructureManaging landing and invitation pagesPlatform services and hostingSPAM protectionTraffic optimization and distributionInfrastructure monitoringHandling payments

Prevent your tags from running before you obtain a legal consent.

If other third-party tools guarantee not to use cookies, perhaps by providing specific configuration options, they too can be considered to be exempt from prior blocking. This is the case namely with YouTube, which provides a specific feature to prevent the user from being tracked through cookies.

This depends on the legal jurisdiction applicable to your site. In Europe, you’re legally required to block cookie scripts until user consent is obtained. All cookies must be blocked except for those that are exempt.

Technical cookies, preference, session and optimization cookies

Some cookies are exempted from prior consent and therefore do not require compliance with the instructions contained in this guide

Technical cookies, i.e. those needed to provide the service. These include preference cookies, session cookies, load balancing cookies etc.

stored in a first-party cookie, which means that users will be requested to give their consent again after deleting browser cookies or switching to another device or browser

First-party cookies are the lifeblood of every website, enabling businesses to remember key pieces of information about users and to collect analytics data. Third-party cookies are the bread and butter of AdTech, allowing publishers to monetize their websites, and brands to run advertising and marketing campaigns.

The exemption to the consent requirement only clearly applies to non-tracking technical cookies strictly necessary for the functioning of services that were expressly requested by the user. A real-world example of this would be an e-commerce site that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the technical cookies are both necessary for the functioning of the purchasing service and are explicitly requested by the user when they indicate that they would like to add the item to the cart.

When you visit your favorite online store, you expect the items you add to your shopping cart to still be in your shopping cart when you check out. Cookies make that happen. If you opted out of those cookies, you would, in essence, be opting out of the very reason you went to that site in the first place. Asking a customer if they want to allow cookies to make their shopping cart work would be like asking them if they want the thread to keep their shirt together.

In fact, some are essential for the proper functioning of a website. The EU understands this and makes an exception for cookies that are "strictly necessary" to fulfill the services requested by your site visitors.

If you want to disable Google Analytics-tracking for this site, please click here: [delete_cookies]. The cookie which enabled tracking on Google Analytics is immediately removed.

You can also disable the use of cookies via your browser, but please note that our website may no longer work properly.

The cookies that are non-essential will be sent to the browsers only if the visitors accept them.

So if they choose to play the video, do they get some other prompt to accept cookies from YouTube BEFORE the video will play?

This tool will allow you to create a customised cookieless Google Map that does not use privacy-invasive cookies.

the current implementation of the Maps API v3 does not rely on the exchange of cookies with Google

I've tested it and it won't load NID cookie, so no need to get consent for it.

Google uses cookies like NID and SID to help customize ads on Google properties, like Google Search. For example, we use such cookies to remember your most recent searches, your previous interactions with an advertiser’s ads or search results, and your visits to an advertiser’s website. This helps us to show you customized ads on Google.

Most Google users will have a preferences cookie called ‘NID’ in their browsers. A browser sends this cookie with requests to Google’s sites. The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language (e.g. English), how many search results you wish to have shown per page (e.g. 10 or 20), and whether or not you wish to have Google’s SafeSearch filter turned on.

Vimeo’s embeddable video player uses first-party cookies that we consider essential to the video player experience. We do not use third-party analytics or advertising cookies when our video player appears on a third-party website.

YouTube’s privacy-enhanced mode basically means they do not store visitor’s information if you have a YouTube video on your website, unless they actually click on the video to view it.

Many people see tracking cookies as an invasion of privacy since they allow a site to build up profiles on users without their consent.

YouTube's default setting is to leave privacy-enhanced mode off. This allows them to place a tracking cookie on any computer that a viewer uses to visit your webpage.

The problem is that even if the visitor is not watching the video or interacting with it, in any capacity, YouTube still collects and stores data on them. Not cool.This is done using cookies that are placed on the user’s browser the moment they load a webpage with a YouTube video embedded in it. These cookies are used to track users, serve targeted ads (Google’s bread and butter), and add info to user’s profile. Yes, they have profiles on everyone.

Default YouTube video embeds set cookies on user systems as soon as they open web pages with embedded YouTube videos. Google may use the cookie to deliver targeted advertisement, add information to the user's profile, or track the user.

an additional reCAPTCHA-specific cookie will be added to the user's browser

While we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.

ReCaptcha is just a cookie-based scheme to put Google Cookies

select an origin

Also note that the first two opt out tools are currently cookie-based and prevent Oracle from using, sharing, or selling your personal information for interest-based advertising on the browser on which they are installed. As a result, the opt out will only function if your browser is set to accept third-party cookies and may not function where cookies are sometimes automatically disabled or removed (e.g., certain mobile devices and operating systems). If you delete cookies, change your browser settings, switch browsers or computers, or use another operating system, you will need to opt out again. Oracle does not use persistent, unique identifiers to revive a previously opted-out profile or deleted cookie.

Much like the cookies you eat are an asset to humankind, HTTP cookies are an asset to the internet. They help personalize the web experience and make things like online shopping and logging into accounts so much easier and more efficient.

Cross-Domain Cookie Library This library is intended for cases where you have scripts running on different domains (i.e. domain-a.com, domain-b.com) that need to be able to set/share a cookie value across those domains. A few example use cases would be a third-party script that wants to set/share a user identifier across both domains, or a company that wants to track if a user signed up for a newsletter across both their main website and blog that resides on a different TLD. This library also offers a way of writing data to a cookie from a third-party script

Websites, Communications & Cookies Privacy Notice

A purpose that is vague or general, such as for instance ‘Improving users’ experience’, ‘marketing purposes’, or ‘future research’ will – without further detail – usually not meet the criteria of being ‘specific’”.[

Weusecookiestoprovideyouwithabetterservice.Carryonbrowsingifyou’rehappywiththis,orfindouthowtomanagecookies.’

However,evenwhenconsensuallyinstalled,usersrarelyunderstandhowspywareworksandoftenforgetaboutitspresence.[50]Cookiesarethemostpervasiveform.Theyarebitsofdatastoredondevicesandsenttobrowsersbywebsitesthatarevisitedorthroughtechniqueslike‘devicefingerprinting’,whichenableswatchingsubjectswhodeleteordonotstorecookies.[51]Theyareusednotonlyformonitoringdigitalactionsbutalsofortrackingpreferredlanguage,login,andotherpersonalsettingssuchassearchpreferencesandfortargetingadvertisingandtrackingnumbersofvisitstosites.[52]Digitaltracespickedupbycookieshavealsobeenrepurposedbysecurityagencies,suchastheNSA’sutilizationofGoogle’sadvertisingcookiestotracktargets.

When not setting an explicit domain for a cookie, the default in most browsers is to only send the cookie when the domain matches exactly. However, Internet Explorer violates the RFC, and will send it to all subdomains as well.

It is important to note that the path attribute does not protect against unauthorized reading of the cookie from a different path. It can be easily bypassed using the DOM, for example by creating a hidden iframe element with the path of the cookie, then accessing this iframe's contentDocument.cookie property. The only way to protect the cookie is by using a different domain or subdomain, due to the same origin policy.