As third-party cookies are being phased out or restricted by major browsers, first-party cookies are increasingly being used for web tracking. Prior work has shown that third-party scripts embedded in the main frame can access and exfiltrate first-party cookies—including those set by other third-party scripts. However, existing browser security mechanisms such as the Same-Origin Policy (SOP), Content Security Policy (CSP), and third-party storage partitioning do not prevent cross-domain access to first-party cookies in the main frame. While recent studies have begun to highlight this issue, there remains a lack of comprehensive measurement and practical defenses. In this work, we conduct the first large-scale measurement and analysis of cross-domain access to first-party cookies across 20,000 websites. We find that 56% of the websites include third-party scripts that exfiltrate first-party cookies they did not set, 32% allow such scripts to overwrite or delete them, revealing potential confidentiality and integrity risks. To mitigate this, we propose CookieGuard, a browser-based runtime mechanism to isolate first-party cookies on a per-script-origin basis. CookieGuard blocks unauthorized cross-domain cookie operations while preserving site functionality in most cases, with only 3% affected by Single Sign-On (SSO) breakage. Our work highlights the risks posed by the lack of first-party cookie isolation in current browser models and offers a deployable path toward stronger protection.
ACM Internet Measurement Conference (IMC)
2025-10-02
2025-10-02