Cookies have become an important aspect of the modern-day web. By default, browsers automatically attach cookies to all HTTP requests. This allows users to keep track which items they have added to their online shopping basket, or simply to log in to their favorite websites. However, cookies may also be exploited for more nefarious goals: users' online activies are tracked at large-scale by various advertising companies, or so-called cross-site attacks can be used to take over the account of an unwitting user. As a response to this increasing threat surface, a variety of defense mechanisms have been developed: either as anti-tracking or ad-blocking browser extensions, or as built-in browser features such as the Tracking Protection in Firefox, or SameSite cookies, which can be highly effective at thwarting cross-site attacks.

An important prerequisite for these privacy- and security-enhancing features to function properly, is that all requests need to comply with the imposed cookie policies. As browsers have become enormously complex, certain edge-cases may have been overlooked or the interplay of specific features may have unwanted side-effects. In our research, we created a framework to verify whether all imposed cookie- and request-policies are correctly applied (will be made available soon). Worryingly, we found that most mechanisms could be circumvented: for instance for all ad-blocking and anti-tracking browser extensions we discovered at least one technique that could bypass the policies. For the technical details of these findings, we invite you to read our paper, which was presented at USENIX Security ’18.

We have been working with browser vendors and extension developers to mitigate the discovered issues. To verify whether you are affected by our detected bypasses, feel free to explore the data on this website (please note that we are still working to have the most up-to-date information available).