Semantics. He says there's no significant difference between 1st & 3rd party cookies and then goes on to say that third party cookies are obtained from sites / locations other than the one to which you are logged on. THAT's a significant difference in my book and the reason my browsers are always set to accept first party cookies but reject 3rd party cookies.
yeah, I thought that was weird myself. There is no difference, except for this. But then there is a difference.
His point is that, operationally, There is no difference; whether a cookie is first-party or third party is something that requires context. If you go to twitter.com, twitter.com cookies are first party cookies.
When you go to another site that uses the twitter API, such as (in his example) huffington post, or a wide variety of other sites, those same twitter cookies are now third party cookies, <BUT> they are being accessed by twitter itself. Much like how nobody really distinguishes between first party images (images on the same server) and third party images (images hosted elsewhere). The part that matters of course is that cookies are typically set and retrieved by browser-side javascript, as well as passed along in HTTP headers. Basically, if you go to a site that uses the twitter API:
-the browser loads the site. It sends it any cookies indexed for that site. The site itself doesn't actually get any cookies for twitter on it's own.
-a javascript or other client-side script, typically provided via the copy-paste code of twitter, references files on platform.twitter.com. The browser loads that data using a HTTP get request, sending the twitter cookies in the header. But the twitter cookies are being sent to twitter, so how are they third-party?
The reason people find this to be a problem is that advertisements can track user movements across the web if their ads embed that sort of logic; each usage of the advertisement would have the same code to retrieve some data from a ad server (doubleclick or whatever) and thus each one can send in the current documentURL as a cookie, as well as perhaps a unique ID for that person to be stored as a local cookie. That server can then index all the pages a given IP has visited that contains ads in that fashion, and further logic can perform analytics to target future advertisements for ads that send in that cookie. There are of course two ways to combat this- the first is to disable third party cookies, but then a lot of various platform technologies stop working; things like facebook or twitter widgets won't always work properly. The basic idea in that case is that code referenced on other servers on that page won't get any cookies for their site. (ie, even though the js refers to platform.twitter.com and loads files from there, the browser won't send the platform.twitter.com cookies). Sometimes this can be an added bonus, since those types of widgets are rather annoying sometimes. And this prevents ad exchanges from collecting any data about you.
I have to say I've sort of flip-flopped on the subject of targeted advertisements, which most of those things are aimed at. I used to think it was draconian and big-brothery, but now I don't think so anymore. For example, most advertisements I see are about Information technology related products regardless of where I am seeing the ad, which, even though I might never actually buy it or click them or anything of that sort, I much prefer being shown advertisements for Visual Studio add-ins than feminine hygiene products. At the very least it makes a change from the old Television commercial method of "throw all commercials at everybody and see what sticks, then make up some analytics data to make companies think it is effective". There was loose targeting of course in that ads were targeted sometimes around the program for which they comprised a commercial break, but there isn't any actual hard data for advertisers to use to determine effectiveness.
Naturally there are many people who feel advertisement is inherently evil. And block any and all ads, despite the implicit moral contract between the content provider and the person viewing said content. For a time I blocked ads on my own site until I removed them all because a few cents a month wasn't worth it. Of course the whole ad-blocking thing is a completely separate can-of-worms that is really only tangential to HTTP cookies. Now it's when ad agencies try to workaround things like adblockplus that you get problems, since sometimes that can fall into the realm of exploit code to find browser implementation problems or issues with the add-in that they can exploit to get around user preferences. That's crossing a line, I think.
