COOKIEGUARD: Characterizing and Isolating the First-Party Cookie Jar

TL;DR

This paper presents CookieGuard, a new browser-based mechanism that isolates first-party cookies per script-origin, addressing significant cross-domain cookie exfiltration and modification risks uncovered through large-scale measurement of 20,000 websites.

Contribution

It provides the first large-scale measurement of cross-domain cookie access and introduces CookieGuard, a practical enforcement mechanism for stronger cookie isolation in browsers.

Findings

56% of websites have third-party scripts exfiltrating cookies

32% allow unauthorized overwriting or deletion of cookies

CookieGuard blocks unauthorized cookie operations with minimal site disruption

Abstract

As third-party cookies are being phased out or restricted by major browsers, first-party cookies are increasingly repurposed for tracking. Prior work has shown that third-party scripts embedded in the main frame can access and exfiltrate first-party cookies, including those set by other third-party scripts. However, existing browser security mechanisms, such as the Same-Origin Policy, Content Security Policy, and third-party storage partitioning, do not prevent this type of cross-domain interaction within the main frame. While recent studies have begun to highlight this issue, there remains a lack of comprehensive measurement and practical defenses. In this work, we conduct the first large-scale measurement of cross-domain access to first-party cookies across 20,000 websites. We find that 56 percent of websites include third-party scripts that exfiltrate cookies they did not set, and 32 percent allow unauthorized overwriting or deletion, revealing significant confidentiality and integrity risks. To mitigate this, we propose CookieGuard, a browser-based runtime enforcement mechanism that isolates first-party cookies on a per-script-origin basis. CookieGuard blocks all unauthorized cross-domain cookie operations while preserving site functionality in most cases, with Single Sign-On disruption observed on 11 percent of sites. Our results expose critical flaws in current browser models and offer a deployable path toward stronger cookie isolation.