Setting a cookie from another domain B meant to be used as a first party cookie for website A when visiting later the website A

Question

Please help me clarify my understanding of cookies, and what can be done in this scenario

1. My company mycompany-example.com has a widget service that injects html & JS code and useful content on a given website @ api.mycompany-example.com
2. A customer C has a website website.mycustomer-example.com where he adds our widget. They add a div and a script that requests html/JS code from our API @ api.mycompany-example.com and fills this div with content (the response is a JS response)
3. This widget deployed on the customer C, then performs additional API requests to update its own content based on user actions
4. The content created from this widget includes links that when clicked will open new tabs to pages of our website www.mycompany-example.com
5. When reaching www.mycompany-example.com, we want to accurately track from which widget our customer comes from, if possible without resorting to URL params or whatever ad tracking cookie that could be blocked (currently we are using URL params in the URLs of 4.).

Question : can I create, from 2. and 3. a server side httpOnly cookie (containing a widget_id) of domain mycompany-example.com, that can be used during step 5. when the user visits our website so we know which widget they come from ?

Correct my understanding, but when creating such a cookie at step 2. or 3., it would be considered a third party cookie for the customer website website.mycustomer-example.com. This is what is going to be dropped in the future of chrome (and the web in general?) and we should stop using.

However, will the browser still allow setting this cookie, that could later be used if/when the user ends up visiting our website ?

Are there gaps in my understanding or security problems I'm missing ?

Answer 1

When the HTML page on *.mycustomer-example.com contains a <script> element that loads Javascript from a different domain like *.mycompany-example.com (your step 2), the Javascript response can set a cookie. But this would be a third-party cookie and hence be blocked by browsers (Google Chrome will enforce such blocking starting in 2024).

Even making it a partitioned cookie would not help you: The HTTP header

Set-Cookie: widget_id=xxx; SameSite=None; Secure; Partitioned

in the Javascript response will set the cookie in the browser, but the browser will only resend it while the top-level page is still from *.mycustomer-example.com. It will not send the cookie when the user opens a new tab at *.mycompany-example.com (your step 5).

Your use case of using the same cookie within and without a cross-site embedding is indistinguishable from ad tracking and will therefore be blocked. I suggest that you simply place the information that you want transported either in a URL parameter or in a form field. In the latter case, the links in your step 4 become form submission buttons:

<form action="/content/1" type="post" enctype="application/x-www-form-urlencoded" target="_blank">
  <input name="widget_id" value="1" hidden>
  <input type="submit" value="Open new tab">
</form>

and clicking such a button produces a request like

POST /content/1
Content-Type: application/x-www-form-urlencoded

widget_id=1

which contains the widget_id in its body without "polluting" the URL.