Facebook is setting a cookie on a different hostname belonging to a static web site that only contains a single iframe whose src points to a Facebook like button.
Let me say that again. Facebook is setting a cookie on a different hostname from a single iframe. This different hostname has no script tags in its html or set-cookie http headers involved in setting the cookie.
So how is that possible that a datr cookie is being set from an iframe on a different hostname? I have verified that this web site sets no cookies of its own and has no script tags of any kind so the cookie cannot be coming from anywhere else.
This is happening intermittently in Firefox with third party cookies strictly blocked. I have not yet seen this in Chrome. Sometimes it isn't happening in Firefox either but I have seen it multiple times now in a fresh new private window session.
It's definitely being set on a different hostname and not just on Facebook although it's being set there too when third party cookies are allowed.
I have a bunch of browser addons but nothing that is Facebook related. In fact I never use facebook. This datr cookie also isn't turning up anywhere else except on this one static site that contains the iframe containing the like button. And since using the developer tools I've analyzed the HTTP response headers to be sure and have found no set-cookie headers I can only conclude that it's coming from Facebook. I just don't know how since I've always thought you can't set cookies on a different host even if your page is embedded in that host in an iframe. It could do it if there was a script tag but there are no script tags.
I found this question but the answer doesn't explain what's happening. I'm not sure it's even referring to the same issue.
According to the above link, Facebook can set a cookie on a different hostname by submitting a form with method=post and action=differenthostname. But how does that make any sense? The cookie would still have to be coming from the different host via a set-cookie header.
In my case I know that isn't happening because I have blocked POST requests. Submitting anything other than a GET or HEAD request to this domain triggers an error message.
