7

此处的文章讨论了政治运动使用的策略。 http://www.nytimes.com/2012/10/14/us/politics/campaigns-mine-personal-lives-to-get-out-vote.html

引用有问题的部分:

这些活动在选民的电脑上植入了一种名为 cookie 的软件,以查看他们是否经常访问福音派或色情网站,以获取有关他们道德观点的线索。访问宗教网站的选民在返回 mittromney.com 或 barackobama.com 时可能会收到对宗教友好的信息。

这怎么可能?我认为所有现代浏览器都具有相同的来源策略安全性,其中网站 A 无权访问有关其他网站 B、网站 C 等的任何信息。

这篇文章听起来像是用户在浏览:

1. presidentialcandidate.com
2. website2.com
3. website3.com
4. website4.com
5. presidentialcandidate.com

访问 #1 的 cookie 如何跟踪用户历史并在访问 #5 中显示?

4

1 回答 1

6

It's true that browsers commonly won't accept or send cookies set for a different domain than the request itself. While actual implementations vary, one straightforward technique is using third-party cookies. If website2.com, website3.com and website4.com all embed resources from presidentialcandidate.com -- for example, an advertisement in an iframe, or a 1x1 pixel image -- and the user's browser accepts and sends third-party cookies, then presidentialcandidate.com can learn, through setting and retrieving of the cookie and HTTP referer headers, that the visitor has previously visited those sites.

RFC 6265 discusses the privacy implications of third-party cookies in greater detail.

It may not always be resources from presidentialcandidate.com that are enabling this process. For example, some services use cookie syncing to align cookie identifiers between services (a description of cookie syncing in one scenario).

于 2012-10-22T17:46:25.000 回答