Updated Aug. 28, 2024. Take back your privacy Firefox is rolling out Total Cookie Protection by default to more Firefox users worldwide, making Firefox the
The problem is that a website is generally not served from one domain.
Put a Facebook like button on your website, it’s loaded directly from Facebook servers. Now they can put a cookie on your computer with an identifier.
Now every site you visit with a Facebook like button, they know it was you. They can watch you as you move around the web.
Google does this at a larger scale. Every site with Google ads on it. Every site using Google analytics. Every site that embeds a Google map. They can stick a cookie in and know you were there.
Yes, it’s the reason for the tracking. To sell more targeted ads.
If you’re up for reading some shennanigans, check out the book Mindf*ck. It’s about the Cambridge Analytica scandal, written by a whistleblower, and details election manipulation using data collected from Facebook and other public or purchased data.
It doesn’t have to be. Your browser sends the cookies for a domain with every request to that domain. So you have a website example.com, that embeds a Facebook like button from Facebook.com.
When your browser downloads the page, it requests the different pieces of the page. It requests the main page from example.com, your browser sends any example.com cookies with the request.
Your browser needs the javascript, it sends the cookie in the request to get the JavaScript file. It needs the like button, it sends a request off to Facebook.com and sends the Facebook.com cookies with it.
Facebook puts an identifier in the cookie, and any request to Facebook sends that cookie and the site it was loaded on.
So you log in to Facebook, it puts an identifier in your cookies. Now whenever you go to other sites with a Facebook like button (or the Facebook analytics stuff), Facebook links that with your profile.
Not logged in? Facebook sets an identifier to track you anyway, and links it up when you make an account or log in.
There is a referer header sent, but depending on the exact code added to the page, it’s very likely they are loading a snippet of JavaScript that lets them collect other information and trigger their own sending of information to their server.
For example, Google Analytics has javascript added to the page, but loading fonts from Google’s CDN (which many sites do) will rely on the referer.
The problem is that a website is generally not served from one domain.
Put a Facebook like button on your website, it’s loaded directly from Facebook servers. Now they can put a cookie on your computer with an identifier.
Now every site you visit with a Facebook like button, they know it was you. They can watch you as you move around the web.
Google does this at a larger scale. Every site with Google ads on it. Every site using Google analytics. Every site that embeds a Google map. They can stick a cookie in and know you were there.
Is this also how they know which ads to feed you?
Yes, it’s the reason for the tracking. To sell more targeted ads.
If you’re up for reading some shennanigans, check out the book Mindf*ck. It’s about the Cambridge Analytica scandal, written by a whistleblower, and details election manipulation using data collected from Facebook and other public or purchased data.
Is that because the like button is an iframe?
It doesn’t have to be. Your browser sends the cookies for a domain with every request to that domain. So you have a website example.com, that embeds a Facebook like button from Facebook.com.
When your browser downloads the page, it requests the different pieces of the page. It requests the main page from example.com, your browser sends any example.com cookies with the request.
Your browser needs the javascript, it sends the cookie in the request to get the JavaScript file. It needs the like button, it sends a request off to Facebook.com and sends the Facebook.com cookies with it.
Note that the request to example.com doesn’t send the cookies for Facebook.com, and the request to Facebook.com doesn’t send the cookie for example.com to Facebook. However, it does tell Facebook.com that the request for the like button came from example.com.
Facebook puts an identifier in the cookie, and any request to Facebook sends that cookie and the site it was loaded on.
So you log in to Facebook, it puts an identifier in your cookies. Now whenever you go to other sites with a Facebook like button (or the Facebook analytics stuff), Facebook links that with your profile.
Not logged in? Facebook sets an identifier to track you anyway, and links it up when you make an account or log in.
Thank you for the explanation!
How is Facebook able to know what site is requesting it? Is it in the referer header, or is it parameters in the javascript/image url?
There is a referer header sent, but depending on the exact code added to the page, it’s very likely they are loading a snippet of JavaScript that lets them collect other information and trigger their own sending of information to their server.
For example, Google Analytics has javascript added to the page, but loading fonts from Google’s CDN (which many sites do) will rely on the referer.