When a page includes third party javascript (via <script src=...) and that javascript then sets a cookie, that cookie “becomes” a first party cookie, even though it’s originally set by a third party source.
My question is this. If someone has disabled third party cookies in their browser, does that also apply cookies set by third party javascript? Or does it only block cookies that are explicitly set in the headers for requests to the third party domain?
And either way, do all browsers handle this the exact same way or do some block javascript cookies but others allow it?
I just thought I’d update this after further testing, in case anyone comes across it later.
I tested Firefox 3.6, MSIE 7, Safari 4, Chrome 4, and Opera 10, and they all do in fact support creating cookies via third party javascript, even when third party cookies are disabled. I conclude this is because the cookies are created for the first party domain, so the browsers treat them as first party cookies, even though they are created by a script from a third party source.
It’s only cookies created by headers from third party requests that get rejected when this feature is enabled.