Zaraz – Life of cookies set by Zaraz in an environment subject to ITP

Dear Cloudflare community, I would have a concern for you, I report my research below.

Problems caused by ITP

ITP sets an expiration on first-party cookies set with JavaScript (ITP 2.1 – 2.2)

As first-party cookies set with scripting languages can also be used for cross-tracking purposes, Safari’s ITP sets a maximum expiration on all cookies set with JavaScript.

First-party cookies set using document.cookie using JavaScript are capped to a maximum lifespan of 7 days.

Furthermore, such cookies are capped to 24 hours of expiration if:

  • the referring domain is a known tracker
  • the URL has query parameter and/or fragments

This is called link decoration which consists of adding tracking information like an ID to URLs leading to other websites.

The impact of ITP on cookies extends to analytics cookies too. For example, Adobe Analytics and Google Analytics cookies that would have previously lasted for up to 2 years are now deleted after 7 days. This has big impacts on advertising, web analytics, and digital marketing in general.

Only first-party cookies set in the HTTP response header are not concerned, with exception of CNAME cloaking. They are not affected by ITP and have no expiration restrictions on them.

How cookies are set by Zaraz

A new way to build third-parties

We first check for the existence of a cookie that identifies the session, called “visitor-identifier”. If it exists, we read its value; if not, we generate a new UUID for it. Note that the power of Workers is all accessible here: we use crypto.randomUUID() just like we can use any other Workers functionality. We then collect all the information our example tool needs — user agent, current URL, page title, screen resolution, client IP address — and the content of the “visitor-identifier” cookie. We construct the final URL that the Worker needs to send a request to, and we then use waitUntil to make sure the request gets there. Zaraz’s version of fetch gives our tools automatic logging, data loss prevention and retries capabilities.

Lastly, we return the value of the getCookieString function. Whatever string is returned by the run function is passed to the visitor as browser-side JavaScript. In this case, getCookieString returns something like document.cookie = ‘visitor-identifier=5006e6fa-7ce6-45ef-8724-c846f1953369; Path=/; Max-age=31536000’;, causing the browser to create a first-party cookie. The next time a user loads a page, the visitor-identifier cookie should exist, causing Zaraz to reuse the UUID instead of creating a new one.

My question

If I track events only with Zaraz without using external tools, Zaraz will set cookies using document.cookie using JavaScript and also if:

  • the referring domain is a known tracker
  • the URL has query parameter and / or fragments

cookies will last only 24 hours or am I wrong? If so, is there a solution to the problem?

Thanks so much.