What are third-party cookies?

A third-party cookie is a cookie set by a site that's different from the site you're visiting.

Imagine you visit the website cats.example.

The mythical cats.example website, without iframe from cat-hire.example.

As you can see, cats.example includes content and services from several external, third-party sites:

  • A map from catmap.example
  • An ad from adtech.example
  • An analytics script from analytics.example

Any of these sites can send a cookie in response to a request.

analytics.example or adtech.example might use cookies to distinguish between different users. catmap.example might keep a record of your favourite cat location. Any cookie from these sites will be treated by your browser as a third-party cookie, since it's not set by the top-level site shown in the address bar, cats.example.

Third-party cookies aren't just from third parties

cats.example might also include an iframe from their microsite cat-hire.example.

The mythical cats.example website, including an iframe from cat-hire.example.

Even though both sites are owned by the same company, requests to cat-hire.example from cats.example are treated by the browser as cross-site, since (of course) they're different sites.

If the cat-hire.example iframe sets a cookie, the browser will treat it as a third-party cookie, since it's not from the top-level site cats.example.

Third-party cookies are really cross-site cookies.

A third-party cookie may be from:

  • A third party, such as the analytics.example JavaScript included on cats.example.
  • From a different site belonging to the same "first party" as the top-level site, such as the cat-hire.example iframe on cats.example.

And just to be clear, the same mechanisms are used to communicate and store first-party and third-party cookies. A cookie is a name and a value communicated using HTTP headers, and stored as text by your browser—no matter whether it's a first-party cookie or a third-party cookie. The difference is in where cookies are from, relative to where they're used, which determines how they're handled by the browser.

Third-party cookies can be blocked by browser design, user settings or Enterprise policies.

Cookie blocking explains how this works.

Solutions and alternatives

Third-party cookies present privacy and security vulnerabilities, but there are legitimate reasons for sharing information across websites. You can find out more about safer, more privacy-focused mechanisms to enable cross-site information sharing from our Solutions guidance.

Find out more