Home > Mobile >  Cookie flow in a site that hosts embedded Youtube video
Cookie flow in a site that hosts embedded Youtube video

Time:12-22

When there's a Youtube video embedded on a site that I visit while I am logged in Youtube beforehand, how does the embedded video know that it's me so I can add it to my Watch Later list?

I think the process is like this: The site that embeds the video gets sent the Youtube cookies.

1.What kind of cookies is that? my session authenticated cookies? is there a csrf token also sent?

I think that the site although that it receives the cookies it cannot read/access them.

2.Does Youtube also receive and read those cookies because the video is inside an iframe? So that is why it can identify me? If the video wasn't included in an iframe but the site would just link to a Youtube video/image file in plain tag/href, would Youtube be still able to receive the cookies but not actually read them? I mean what does the iframe do differently.

And 3. doesn't Youtube through the embedded video set third party cookies too? Does it mean that it can track me when visiting other sites that have embedded videos/elements from Youtube?

CodePudding user response:

When you are logged in to YouTube, there is a cookie (actually, many cookies) in your browser that is sent with every request to youtube.com and will authenticate you. So when you open a page at youtube.com, you will immediately be logged on. And of course all your requests to youtube.com can be tracked and associated with your Google account.

If you are not logged on, YouTube may use a similar cookie that identifies your browser, but without revealing your Google account. This at least identifies all the requests you make as belonging together.

When a youtube.com page is embedded in an iframe in some other (non-YouTube) page, the situation is almost the same, except that the cookie then counts as third-party, because the cookie domain youtube.com differs from the embedding domain otherpage.org. Depending on the settings, your browser may then refuse to include this cookie in the request which the iframe makes to youtube.com. This request is then unauthenticated and cannot be associated with your Google account (or with prior requests from the same browser).

There may be other methods to try and identify users that do not rely on cookies, but I don't know if YouTube employs them.

  • Related