[Resolved] Adding cookies to the Allow list makes them bypass the 3rd party cookie blocking !?

%3CLINGO-SUB%20id%3D%22lingo-sub-2111123%22%20slang%3D%22en-US%22%3E%5BResolved%5D%20Adding%20cookies%20to%20the%20Allow%20list%20makes%20them%20bypass%20the%203rd%20party%20cookie%20blocking%20!%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2111123%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20I%20turn%20on%203rd%20party%20cookie%20blocking%2C%20and%20add%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSPAN%3E%5B*.%5Dyoutube.com%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3E%5B*.%5Dgoogle.com%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%3Eto%20the%20allow%20list%20of%20cookies%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F251349i1026376CE79AF4AA%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethis%20causes%20Google%20and%20YouTube%20cookies%20to%20be%20read%20and%20accessed%20in%20Reddit%20and%20other%20sites%2C%26nbsp%3BEven%20though%203rd%20party%20Cookie%20blocking%20is%20enabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%221.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F251350i736CB9B5464D38F6%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%221.png%22%20alt%3D%221.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22dsadas.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F251351iE696934A5A9D618B%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22dsadas.png%22%20alt%3D%22dsadas.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EEdge%20(or%20Chromium%20in%20general%2C%20since%20it%20happens%20on%20Chrome%2088%20stable%20too)%20is%20confused.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Ethat%20Allow%20list%20is%20for%20allowing%20certain%20cookies%20to%20enter%20or%20stay%20in%20the%20browser%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethe%20Allow%20list%20is%20Not%20a%203rd%20party%20cookie%20bypass%20list.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Emy%20actual%20setup%20and%20configuration%20was%20more%20complex%20but%20I%20had%20to%20do%20lots%20of%20testing%20to%20find%20out%20why%20Reddit%20still%20detects%20and%20asks%20me%20to%20sign%20into%20my%20Google%20account%20when%203rd%20party%20cookie%20blocking%20is%20enabled!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2111123%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E3rd%20party%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eblocking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EChromium%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ecookies%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114654%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20cookies%20to%20the%20Allow%20list%20makes%20them%20bypass%20the%203rd%20party%20cookie%20blocking%20!%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114654%22%20slang%3D%22en-US%22%3Ethanks%20i%20will%20check%20on%20that%20when%20i%20get%20home%20%5E%5E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114652%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20cookies%20to%20the%20Allow%20list%20makes%20them%20bypass%20the%203rd%20party%20cookie%20blocking%20!%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114652%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F390049%22%20target%3D%22_blank%22%3E%40Macqael%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20with%20the%20help%20of%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F458795%22%20target%3D%22_blank%22%3E%40eddiezato%3C%2FA%3E%26nbsp%3BI%20figured%20out%20the%20correct%20way%20to%20achieve%20what%20I%20was%20looking%20for%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fdiscussions%2Fdev-channel-update-to-90-0-782-0-is-live%2Fm-p%2F2114642%2Fhighlight%2Ftrue%23M43321%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fdiscussions%2Fdev-channel-update-to-90-0-782-0-is-live%2Fm-p%2F2114642%2Fhighlight%2Ftrue%23M43321%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMust%20disable%20these%20toggles%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22%7B784450B7-CE76-42E6-A0A9-583407436DF8%7D.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F252495iB5F7934DF8DD3BAF%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22%7B784450B7-CE76-42E6-A0A9-583407436DF8%26amp%3B%23125%3B.png%22%20alt%3D%22%7B784450B7-CE76-42E6-A0A9-583407436DF8%26amp%3B%23125%3B.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eand%20then%20I%20added%20sites%20I%20frequently%20visit%20to%20the%20Allow%20list%2C%20with%20the%20checkbox%20to%20allow%203rd%20party%20cookies%20of%20certain%20websites.%3C%2FP%3E%3CP%3Eeverything%20is%20working%20as%20expected%20now.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20log%20into%20YouTube%2C%20which%20saves%20Google%20cookies%20on%20my%20computer%2C%20and%20then%20I%20go%20to%20Reddit%20but%20the%20site%20no%20longer%20offers%20me%20to%20create%20an%20account%20with%20Google%2C%20because%20Reddit%20no%20longer%20reads%20Google%20cookies%20on%20my%20browser.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113653%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20cookies%20to%20the%20Allow%20list%20makes%20them%20bypass%20the%203rd%20party%20cookie%20blocking%20!%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113653%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F390049%22%20target%3D%22_blank%22%3E%40Macqael%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20exactly%2C%3C%2FP%3E%3CP%3Ewell%20how%20do%20you%20feel%20about%20it%3F%3C%2FP%3E%3CP%3EI%20shared%20my%20thoughts%20on%20it%20here%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fdiscussions%2Fdev-channel-update-to-90-0-782-0-is-live%2Fm-p%2F2111617%2Fpage%2F2%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fdiscussions%2Fdev-channel-update-to-90-0-782-0-is-live%2Fm-p%2F2111617%2Fpage%2F2%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113297%22%20slang%3D%22en-US%22%3ERE%3A%20Adding%20cookies%20to%20the%20Allow%20list%20makes%20them%20bypass%20the%203rd%20party%20cookie%20blocking%20!%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113297%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F953281%22%20target%3D%22_blank%22%3E%40Pajenterprises260%3C%2FA%3E%26nbsp%3Byes%20it's%20why%20insider%20like%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310193%22%20target%3D%22_blank%22%3E%40HotCakeX%3C%2FA%3E%26nbsp%3Band%20me%20are%20for%2C%20found%20an%20unexpected%20behavior%20in%20the%20software%2C%20confirm%20the%20bug%20and%20report%20it%20to%20the%20dev%20like%20that%20they%20can%20fix%20it%20before%20any%20blackHat%2FTracker%2FAds%20use%20it%20for%20evil%20thing.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113292%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20cookies%20to%20the%20Allow%20list%20makes%20them%20bypass%20the%203rd%20party%20cookie%20blocking%20!%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113292%22%20slang%3D%22en-US%22%3Eno%20i%20don't%20use%20paypal%20(i%20have%20a%20prepaid%20master%20card%20(i%20add%20fund%20on%20it%20instantly)%20so%20paypal%20isn't%20usefull%20to%20me%3CBR%20%2F%3EThe%20only%20website%20autorized%20is%20the%20website%20who%20have%20the%20paypal%20object%20on%20it%2C%20if%20i%20deny%20this%20website%20the%20paypal%20cookie%20don't%20appear%20again%20(so%20it%20must%20be%20a%20thirs%20party%20cookie)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113069%22%20slang%3D%22en-US%22%3ERE%3A%20Adding%20cookies%20to%20the%20Allow%20list%20makes%20them%20bypass%20the%203rd%20party%20cookie%20blocking%20!%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113069%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F953281%22%20target%3D%22_blank%22%3E%40Pajenterprises260%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F953281%22%20target%3D%22_blank%22%3E%40Pajenterprises260%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3EBOKER'S%20Thank%20you%20all%20for%20your%20support%20to%20my%20communities%20shares%20blesses%20one%20love%20Education%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3Eyou're%20welcome!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2112356%22%20slang%3D%22en-US%22%3ERE%3A%20Adding%20cookies%20to%20the%20Allow%20list%20makes%20them%20bypass%20the%203rd%20party%20cookie%20blocking%20!%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2112356%22%20slang%3D%22en-US%22%3EBOKER'S%20Thank%20you%20all%20for%20your%20support%20to%20my%20communities%20shares%20blesses%20one%20love%20Education%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2112312%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20cookies%20to%20the%20Allow%20list%20makes%20them%20bypass%20the%203rd%20party%20cookie%20blocking%20!%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2112312%22%20slang%3D%22en-US%22%3EHey%2C%20thanks%20for%20testing%2C%3CBR%20%2F%3Edid%20you%20add%20%22PayPal.com%22%20to%20the%20Allow%20list%20prior%20to%20going%20to%20that%20website%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3Eyou%20don't%20need%20to%20have%20a%20reddit%20account%2C%20i%20don't.%3CBR%20%2F%3Eif%20you%20are%20logged%20into%20Google%20and%20YouTube%2C%20those%20cookies%20will%20be%20read%20by%20reddit%20website%2C%20offering%20you%20to%20create%20a%20reddit%20account%20using%20those%20sites.%3CBR%20%2F%3E%3CBR%20%2F%3Eyes%20the%20problem%20is%20reproducible%20on%20Google%20Chrome%20stable%2088%2C%20Edge%20stable%2088%20all%20the%20way%20to%20Edge%20canary%2090.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2112046%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20cookies%20to%20the%20Allow%20list%20makes%20them%20bypass%20the%203rd%20party%20cookie%20blocking%20!%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2112046%22%20slang%3D%22en-US%22%3E%3CP%3Ei%20actually%20have%20reproduced%20it%20on%20the%20%22stable%22%20channel.%20i%20navigate%20through%20a%20website%20who%20use%20paypal%20(without%20clicking%20on%20any%20link%20to%20paypal)%20and%20if%20i%20go%20to%20edge%3A%2F%2Fsettings%2FsiteData%2C%20i%20see%20there%20is%20a%20third%20party%20cookie%20from%20paypal.com.%3CBR%20%2F%3E%3CBR%20%2F%3EBut%20in%20case%20of%20youtube%20and%20reddit%20i%20can't%20reproduce%20since%20i%20don't%20connect%20myself%20to%20reddit.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Honored Contributor

When I turn on 3rd party cookie blocking, and add

  • [*.]youtube.com
  • [*.]google.com

to the allow list of cookies

 

image.png

 

this causes Google and YouTube cookies to be read and accessed in Reddit and other sites, Even though 3rd party Cookie blocking is enabled.

 

 

1.png

 

dsadas.png

 

Edge (or Chromium in general, since it happens on Chrome 88 stable too) is confused.

that Allow list is for allowing certain cookies to enter or stay in the browser,

 

the Allow list is Not a 3rd party cookie bypass list.

 

my actual setup and configuration was more complex but I had to do lots of testing to find out why Reddit still detects and asks me to sign into my Google account when 3rd party cookie blocking is enabled!

 

9 Replies

i actually have reproduced it on the "stable" channel. i navigate through a website who use paypal (without clicking on any link to paypal) and if i go to edge://settings/siteData, i see there is a third party cookie from paypal.com.

But in case of youtube and reddit i can't reproduce since i don't connect myself to reddit.

Hey, thanks for testing,
did you add "PayPal.com" to the Allow list prior to going to that website ?

you don't need to have a reddit account, i don't.
if you are logged into Google and YouTube, those cookies will be read by reddit website, offering you to create a reddit account using those sites.

yes the problem is reproducible on Google Chrome stable 88, Edge stable 88 all the way to Edge canary 90.

BOKER'S Thank you all for your support to my communities shares blesses one love Education

@Pajenterprises260 


@Pajenterprises260 wrote:
BOKER'S Thank you all for your support to my communities shares blesses one love Education

you're welcome!

no i don't use paypal (i have a prepaid master card (i add fund on it instantly) so paypal isn't usefull to me
The only website autorized is the website who have the paypal object on it, if i deny this website the paypal cookie don't appear again (so it must be a thirs party cookie)

@Pajenterprises260 yes it's why insider like @HotCakeX and me are for, found an unexpected behavior in the software, confirm the bug and report it to the dev like that they can fix it before any blackHat/Tracker/Ads use it for evil thing.

@Wittycat 

So with the help of @eddiezato I figured out the correct way to achieve what I was looking for

 

https://techcommunity.microsoft.com/t5/discussions/dev-channel-update-to-90-0-782-0-is-live/m-p/2114...

 

Must disable these toggles

 

{784450B7-CE76-42E6-A0A9-583407436DF8}.png

 

and then I added sites I frequently visit to the Allow list, with the checkbox to allow 3rd party cookies of certain websites.

everything is working as expected now.

 

I can log into YouTube, which saves Google cookies on my computer, and then I go to Reddit but the site no longer offers me to create an account with Google, because Reddit no longer reads Google cookies on my browser.

thanks i will check on that when i get home ^^