3'rd party cookie - advertisers - implementation clarification?

Question

As I'm reading a lot about third party javascript/cookies - I have an implementation question.

I've seen this slide show (#45) (the context of the slide is about cross domain but it is used also for advertisers)

AFAIK it goes like this :

• First enterence to Site #1 : the site has a page .that page also holds an advertiser iframe from TotalNotTrackingYou.com.
  The SRC of the iframe has general info for that particular page content ( if any ).
  So TotalNotTrackingYou.com sends a cookie with identification token when the page #1 loads . This way - when you browse to other pages besides site #1 ( notice ! the user didn't click on any add yet !) - TotalNotTrackingYou.com knows what intereting topics you are interested .

• Now the user has left site #1 and went to site #2 which also holds an iframe from TotalNotTrackingYou.com. Same goes here. the cookie which was generated by site #1 request (which in turn loads an iframe) - is sent back to TotalNotTrackingYou.com which again - reads the referrer and the relevant querystring (at SRC) for that iframe .

• TotalNotTrackingYou.com (sends you cookies when their iframe loads at sites #1..#5) and learning only your navigation habbit (using referrer - which site you were on).But when you click on the advertising add - TotalNotTrackingYou.com now knows for sure what you are intereted in , and they add it to their db.
  from now on - all sites (which holds TotalNotTrackingYou.com iframe) will send relevant adds according to the user interests list..

  Question

  A script reference <script src='www.TotalNotTrackingYou.com/cookiecreator.ashx' /> can also send / recieve cookies. So why advertisers don't use scripts but iframes ?

Additional info. I know that 3rd party cookies are disabled by default in Safari. but there is a hack to create an iframe and a form and to post that form to that iframe - which will write cookie.

Answer 1

This hack in safari to allow 3rd party cookies by posting was fixed. (Btw, Google also received a hefty fine from the FCC for exploiting this "hack": http://www.theverge.com/2012/7/31/3207388/fcc-approval-google-fine-safari-cookies )

In any case, the reason that they use iframes is because the preferred method for storing data associated with the 3rd-party domain is no longer a 3rd party cookie, but instead localStorage. To access the localStorage of the 3rd-party domain, the javascript code has to be running under a document from that domain, hence why the iframe works, and not a script loaded on the 1st party domain.

The benefits of localStorage vs the cookie is that it's not blocked even when the user requests blocking of 3rd-party cookies. See for example this thread from Firefox development: https://bugzilla.mozilla.org/show_bug.cgi?id=536509 or this article running through the code itself http://log.scalemotion.com/2012/10/how-to-trick-safari-and-set-3rd-party.html