How does google set first party cookies for analytics tracking?

Question

Suppose I search for a website Website1 on google. When I click on a search result link, it takes me first to a google server URL and then redirects me to the actual site i.e. Website1.

From this I understand, that before redirecting to the actual website, google stores information like keyword used for search, etc in cookies for the website domain (which I am searching i.e. Website1) using cookies. Then, when the actual website loads, the analytics script extracts this information from the cookies and pushes it to Google Analytics server.

My question here is how can google store cookies on behalf of the other site. As per my understanding, first party cookies can be created and accessed by the domain itself.

Just to confirm if cookies can be set for other domains, I searched and found links similar to this.

Any pointers please?

Answer 1

You misunderstand the mechanism - the Google Analytics script gets keywords etc from the referring url (the click url in the search engine resulte page contains a lot of info like keyword and position of the search result in the serp).

The analytics script extracts the information from the referrer and (apart from sending it to google) stores it in a cookie (actually the new universal analytics does not do this anymore). But this happens on you own domain.

Google Analytics can set first party cookies for you domain because by embedding their javascript code in your website you have basically handed them the key to the city - Google can write and read cookies, they can - and do - load other scripts, they could steal sessions, deface your site etc. Not that Google has ever done that, but if you're out for world dominantion you should start by hacking the servers that deliver the analytics javascript code.

However Google cannot set a first party cookie from a google domain, and they do not need to. It's all in the referring url.