Understanding the Cookie Flow in a Site Hosting Embedded Youtube Videos
Embedded Youtube videos are embedded through an iframe. An iframe is in many ways like a separate browser tab. If you open YouTube in a new tab (for example by clicking a link), of course YouTube will get access to the cookies set for the YouTube domain. But when you open a site that has a YouTube iframe, then that iframe will load a page from YouTube, and in that context the YouTube page will have access to the YouTube cookies.
The main site that contains the iframe doesn’t get access to those cookies – only the page within the iframe does.
Third-party cookies are not relevant in this context. When third party cookies are enabled, a page on one domain can set cookies for a completely different domain. Third-party cookies are mostly used for tracking purposes, for example in order to allow a random fashion blog example.com
to retrieve and update advertising tracking information for the user via a cookie set for a domain some-tracking-network.example
. Third-party cookies could also enable a logged-in experience for an embedded Youtube video when no iframes are used.
Some browsers provide first-party isolation / state isolation, so that iframes do not get access to the cookies of their site. Previously, I said that cookies are associated with a domain, e.g. youtube.com
. More precisely, they are stored under some key, typically the domain name. But with state isolation, the key for iframes contains both the domain name of the embedding site and the embedded site.
For example, we might watch a video
- on
youtube.com
directly, or - embedded as an iframe on
foo.example
.
There are different potential contexts here:
- the
youtube.com
site - the
foo.example
site - the
youtube.com
iframe embedded in thefoo.example
site
As discussed above, normally the YouTube iframe and the YouTube site have the same cookie context. With state partitioning, all those three contexts have different cookie contexts and can’t share data via that mechanism – the embedded YouTube video would appear as for a logged-out user.
Sometimes you see Youtube videos embedded via the youtube-nocookie.com
domain. This serves the same video, but because the domain name isn’t youtube.com
the embedded video will not have access to your youtube.com
cookies.