How to block all but 1 cookie on a specific website?

I have noticed that websites I visit use cookies related to another website. For example, youtube would use cookies that are related to google.com. Although it does make sense, being that youtube is owned by google, but I’ve found that websites (that I havent logged into) that have the option to login with a google account also use cookies relating to google.com. I have cross site cookies disabled so I’m not sure what is causing this.

Is there a way to stop this problem? I thought a good solution would be to tell brave to block all but one or more cookies that I can choose or telling brave to block all cookies that do not come from the same domain as the website I’m visiting.

The cookies settings cant help me here because you can only block all cookies or block none (or block none until you close and reopen the site). I only want youtube to use youtube’s cookies not google’s.

Or maybe this is a big misunderstanding and I dont really know how cookies work. Maybe the cookies do come from the same site, but cookies made on one site cannot be shared with another, even though the cookies are both from the same domain. But I’m suspicious because I’ve noticed that google’s services are shared across all of google’s websites. For example, when I log into youtube, I am then logged into chrome’s webstore and I do not want that.

How to make sure cookies are always unique to each website and how to make sure that they are not shared? If data is shared because of what the website does, then that’s fine (like sharing data because of my IP address or something that doesnt change), but if it’s shared because of what my computer is telling them (like my cookies), I want to block that as much as possible.

Use ad block filters rather than the more general settings.

You mean Brave’s shields?

Btw, Here’s an example of a website called BiliBili using Google’s cookies, even though I’m not logged in

image1528×603 92.1 KB

@Bravo63251 Does modifying brave://settings/socialBlocking make a difference at all?

When this option is enabled: It adds a third-party cookie exception for accounts.google.com so sites using Login with Google can work correctly.

Not sure if you have it enabled right now. I trialed it on my own and when I had that enabled, I saw Google’s cookies. I then removed their cookies, changed the settings, navigated back to BiliBili, and Google cookies didn’t load. Not sure if it always works that way, but why don’t you test for yourself?

I also have noticed that if you were to remove google’s cookies on one website, they are also removed on other google websites like youtube. So I really now have to wonder if these cookies are cross site. And if they are, how? Because I told brave to remove or block all cross site cookies.

I have everything off

image726×282 13.4 KB

Well, they are if they have plugins with Google, as it runs through that. Cross-site tends to be like if you visited Brave, then they track you to see where else you go. That part is disabled but if they would have Brave integrations on their site, then it’s no longer “cross-site” and is actually part of the site you’re visiting. It’s something of a loophole in things. I’m probably not explaining it exact but it’s the “for dummies” way of my understanding it (saying even I don’t comprehend it fully).

Also, realized even though my cookie list only shows 2 cookies in the list but it says 3 in use. So that is a head scratcher for me now. Since @fanboynz handles a lot around Shields, will tag here to see if he might be able to explain it better to us.

Hmmm. So these integrations can take data based on what your cookies are? For example, if I was on facebook, and I have cookies for that website, and I go to another website that has facebook’s puggins on there, would they be able to read the cookies I stored on facebook.com and tell the website Im on about them? Or is it an entirely new set of cookies that are linked to facebook.com. Or is there even such a thing as unique sets of cookies for the same website?

To borrow from someone else’s explanation, which I will also link to:

A third-party cookie limit setting cookies on different domains than where the user actually is. If you are visiting mail.com and it fetches something from video.com, the cookies from that domain are automatically sent by setting the credentials to include. However, if third-party cookies are disabled, those cookies are not sent because the browser only allows cookies from mail.com.

What Google actually does is when you log in, it does a few redirect to save cookies on mail.google.com as well as on youtube.com. If you open the DevTools and check the Preserve log option, you will clearly see those redirection. They are done so quick that you don’t see them but it is how you can be logged in into multiple domains at the same time.

See the redirections you get from logging into your Google account

By doing those redirection, Google makes sure to save the cookies on the Google domain as well as the YouTube domain as way. This is why even though your third-party cookies are disabled, you get logged in into multiple domains.

Again though, I’d have to get @Mattches and @fanboynz to explain better on this. Also for them to tell us if this is something that Brave can prevent.

As to what I was saying earlier, I read somewhere in the past that there were certain integrations within websites that could turn third-party cookies to appear as if they are first-party. But I’m not sure where I found it or how accurate it is. As I’ve been searching with various terms, I’m not finding results.

Basically though, I think it came down to the idea that many sites use things like Google Analytics to track visitors to their websites. Through that, Google is able to slip in and track from their cookies. They essentially tunnel their way through and find a gray area to track.

Again, it’s something I learned a while back and I’m not sure if anyone would tell me that it’s inaccurate now. So don’t take and run with it 100% until someone with more knowledge and experience can validate or refute that. I’m just advising what I learned a while back, if that makes sense.

@Bravo63251 You can’t block 3p cookies in Brave, unless you disable Ephemeral Storage chrome://flags/#brave-ephemeral-storage that’s why you see google allowed in BiliBili website.

Did you hear about Total Cookie Protection Firefox enabled some weeks ago? well, Ephemeral Storage is the same thing, it was released long time ago in Stable, but not many notice it.
But It will enable third party cookies in a temporary storage, once you close the website they are gone. So nobody but the website can access them, nobody else.

The problem is Brave’s information is inaccurate, it only displays as “allow” the cookies, but not the Local Storage for example, so it looks like something is getting blocked, but no, they are all allowed temporarily.

However, If you block 1p cookies, nothing gets allowed, but once you allow 1p cookies, Ephemeral Storage starts working.
I mean, it is a strange concept, because even if you block them you aren’t blocking them anymore, and there is no explanation by Brave about it, they make you think you are truly blocking cookies, that’s why I always say a 4th option would be better to explain the feature and let people block 3p cookies if they want to.

So, if you want to truly disable that, go to that flag and disable it.
You are not gaining anything by doing that, you are actually losing a nice feature, because 3p cookies can be useful (not eveything is used for tracking you).

There are many benefits about it, like for example, if you go to a website for watching movies and tv shows, and it fetches the videos from different servers, well, if those servers support like saving the information about volume, time, if you enabled subtitles and video quality etc etc, if you refresh the page the video will continue where you refreshed, if you watch another movie or episode using the same server obviously, you will keep the quality so you don’t have to change things, like the appearance of subtitles, as long as you don’t close the page and remove the temporary storage.
Without Ephemeral Storage everything will be reset when you refresh, because the Browser won’t have any data about the player.
So it is useful, even if you can get scared about seeing google cookies enabled.

That’s what is going on in Brave.

Yours is likely the correct explanation.

The OP cookie matter is related to Ephemeral Storage. By default it is ON which is a good thing as it will break a lot of sign-in and some other stuff.
To turn it Off, one needs to go into brave://flags.

Now, the question is, should turning off ephemeral storage be done by flag or should their be toggle in the setting panel itself. Brave team will need to think about it. They can give proper warning before a user decides to turn if off from settings panel, because it might mess a users experience quite a lot if he decides to change it (turn it off) to see what it does.

@anon57438784
What exactly is “Ephemeral Storage”?

It is a sophisticated storage space for some important cookies used in google account cross-login etc.
It is not a bad thing per se for a default configuration.
As brave blocks all third party cookies by default, it will also block google account cookies (which can be explained as if you login into gmail, you can also use youtube with the same account without re-login in youtube) but ephemeral storage creates an exception for google account cookie. This exception is only given for google account and this cookie is sandboxed so that it cannot be used for tracking or other nonsense.

Is it only for Google and it’s services? Can Google’s login run with it turned off? And Why does Google require a separate storage location for their cookies?

No, it is for 3p storage/cookies, it works on every page you visit. I explained it, it is like Total Cookie Protection which some blogs were putting as ‘new’ and ‘innovative’ but Brave has had it for longer time.

Let’s use the easiest example so you will understand it, with a video service, explaining it short: it is just a temporary storage for 3p storage/cookies, so only a page can read and then it gets destroyed on closing the page, and then it doesn’t get written on the Browser’s data where other websites can have access to it.

Example:

Go to InPrivate mode and Go to this page

Look at the cookie/storage panel, you should see fmovies allowed, but also disqus and google. on the blocked side you will see Disqus, accounts.google and vidstream.pro.

Note: They are all allowed, the reason one appear as blocked is because the only ones that display as allowed are Cookies, not local or session storages, even if they are allowed as well, it is a bug or problems with Chromium and the Ephemeral Storage. So, pretend they are all in the “allowed” tab, where they should be.

Change settings of the video, volume, go somewhere else in the video, change the quality too.

Refresh the page, you should continue where you refreshed the page.

Now, go back to the cookies panel and allow vidstream.pro and reload.

The video will start from zero unlike the previous test, so go somewhere else in the video different from the other test and reload, it should continue where you refreshed this time.

Now go to cookies panel and block vidstream.pro, now the video should continue from the first test and have the settings the way you set them.

So, you are switching between storages, Ephemeral and Normal.

If you close the page and then click on the link again, now the video should start from zero again, because the Ephemeral Storage was cleared once you hit the close button.

And that’s it, it can be useful while not allowing websites to have access to it, like google cookies being created.

Also, Ephemeral Storage only works if 1p is allowed, so if you blocked fmovies, nothing will be allowed and the video will not work.

Fmovies doesn’t allow Devtools because of the garbage debugger blocker, but If you want to see it ‘in action’ you can use this site where you can use Devtools

You can do the same test anywhere, like here:

https://exposure.software/blog/2022/getting-started-with-exposure/ and open Devtools and go to Application and Local Storage so you can see the changes.

but it is basically the same, you change youtube player settings to 144p, mute it and enable subtitles, then refresh and the settings should stick.

Then allow youtube-nocookie and the settings should be different because it is using the ‘normal’ permanent storage and not the Ephemeral, now enable 1080p or something different.

Then you can switch the same between the two storages.

In this page you can actually test the blocking of the 1p, and you will see when you block exposure 1p, how when you restart the youtube player will not retain the settings, because now everything is getting blocked as any other browser normally would do.
So you can switch between 3 modes, the full block, Ephemeral and Normal Storage.

Just the technical things about it and how it works, in reality you shouldn’t worry, even if you wish google cookie was blocked when you are in Youtube, that’s not what will happen anymore in Brave.

Of course, if you don’t like that, or don’t care about the benefits of it, you can always block cross-sites normal like other browsers do by disabling brave://flags/#brave-ephemeral-storage

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.