Understanding the Cookie Flow in a Site Hosting Embedded Youtube Videos

Embedded Youtube videos are embedded through an iframe. An iframe is in many ways like a separate browser tab. If you open YouTube in a new tab (for example by clicking a link), of course YouTube will get access to the cookies set for the YouTube domain. But when you open a site that has a YouTube iframe, then that iframe will load a page from YouTube, and in that context the YouTube page will have access to the YouTube cookies.

The main site that contains the iframe doesn’t get access to those cookies – only the page within the iframe does.

Third-party cookies are not relevant in this context. When third party cookies are enabled, a page on one domain can set cookies for a completely different domain. Third-party cookies are mostly used for tracking purposes, for example in order to allow a random fashion blog example.com to retrieve and update advertising tracking information for the user via a cookie set for a domain some-tracking-network.example. Third-party cookies could also enable a logged-in experience for an embedded Youtube video when no iframes are used.

Some browsers provide first-party isolation / state isolation, so that iframes do not get access to the cookies of their site. Previously, I said that cookies are associated with a domain, e.g. youtube.com. More precisely, they are stored under some key, typically the domain name. But with state isolation, the key for iframes contains both the domain name of the embedding site and the embedded site.

For example, we might watch a video

  • on youtube.com directly, or
  • embedded as an iframe on foo.example.

There are different potential contexts here:

  • the youtube.com site
  • the foo.example site
  • the youtube.com iframe embedded in the foo.example site

As discussed above, normally the YouTube iframe and the YouTube site have the same cookie context. With state partitioning, all those three contexts have different cookie contexts and can’t share data via that mechanism – the embedded YouTube video would appear as for a logged-out user.

Sometimes you see Youtube videos embedded via the youtube-nocookie.com domain. This serves the same video, but because the domain name isn’t youtube.com the embedded video will not have access to your youtube.com cookies.

Leave a Reply

Your email address will not be published. Required fields are marked *