If I use another domain name to serve my JavaScript, and that JavaScript sets a cookie, does that count as a third-party cookie?

Question

I'm looking at using Amazon Cloudfront to distribute my JavaScript.

What I'm not clear on, however, is what happens to cookies if I do that. For example, if my site is example.com, and I'm including JavaScript from foo.cloudfront.net, does that JavaScript have access to cookies I set on example.com and visa versa? What's the best approach for cookie safety when you are serving your assets from another domain?

Answer 1

The javascript executes in the context of example.com, so no matter where it's served from will be able to access those cookies, and those cookies only. This encapsulation, which presumably is what you meant by cookie-safety, is enforced by the browser and shouldn't be something that you need worry about.

There might be third party cookies set in the distribution of the files (that depends on the distribution network, in this case Amazon's), although that won't be visible to the javascript, nor should it interest the javascript. If there are third party cookies set you should mention that in your privacy policy.

And to answer the question in the header; no, setting a cookie in code distributed from another domain does not count as third-party, since it executes under example.com, and will therefore only be able to set cookies under than domain.

Answer 2

Doesn't matter where the javascript code itself is hosted, what's important is the context in which it's running in - so the cookie will be correctly set to whatever host your main page is loading from...