Saturday, 26 May 2012

The EU Cookie directive is impossible to implement

Well, OK, maybe not impossible, but it might as well be.

Here’s why.  If you include any content that’s not directly generated on your site, an http request to set a cookie from the third party site appears to be honoured by your browser.

For instance, I set up a file on my server that runs the following php on request for a particular javascript file:

header("Content-type: text/javascript");
header("Set-Cookie: GOTCHA=value; path=/; expires=Mon, 28-May-2012 00:00:00 GMT");

echo <<<EOT


If I then go to a third party site, like and include the javascript file from my server and run it, it turns out that a cookie is indeed set for the third party domain (my site containing the javascript).

Now, in theory the law requires the third party site to request permission before dropping the cookie, however, many third party affiliate networks are requiring the affiliate to request the permission.

Note that the Information Commissioner itself is vulnerable to this, because despite asking for permission, they include a script from another website.  In this case it’s:

So as a result, they could unknowingly cause cookies to be deposited on your computer.

No comments:

Post a Comment