There is some important information about cookies and browsers and how they interact between domains.
- Websites may set cookies for their own website.
- Websites cannot set cookies for another website.
- Cookies can be set in response or use things like JavaScript
The first two may seem confusing, especially when some sources claim that they are possible. It is important to note that they only affect cases where the response directly sets a cookie using the Set-Cookie header, which allows the website to set a cookie directly. There are some special cases for things like subdomains, but in general you should not expect browsers to respect cookies set on other domains that you do not control.
If you were allowed to arbitrarily set cookies on other websites, this would open the door for websites to arbitrarily set and disable cookies that you use, even if they are not connected. This includes the ability to register one of the domains in only one answer, which is impossible.
The third point is important for cases such as advertising, since cookies can be set using the Set-Cookie header (or response.set_cookie in Django ) or using JavaScript via the document.cookie property . Since JavaScript can be enabled from any domain using the src property in the <script> tags , any domain can manage cookies in another domain if it is enabled via JavaScript . This is important for how many analytics services, such as Google Analytics , work because it allows them to store unqiue cookies on every website for every user that is controlled, although they do not have full control over the response. They also commonly use tracking beacons in the form of images to send data back to an external domain and associate them with a saved cookie.
The answer you refer to talks about this with images, but explains that it doesn’t actually set a cookie in another domain . A cookie that is set using an image or frame is stored only in an external domain and cannot be accessed from the domain, including the remote image.