Quite a popular question on various "mail mail" and other issues. But I wonder how this can actually be arranged. It is clear that "reading cookies that store search queries" is a huge misconception, because it is not safe to read cookies from other sites. I understand that information about what I visited and what I was looking for is stored on the servers of the same Google, for example.

But how does he identify me and give me advertisements? In theory, you can store an individual identifier of the search history in cookies, say for google.com. But then I can not send it from another site (example.com on which you need to display advertising), because again it is not safe. By IP address is also nonsense, because it can be dynamic, and all computers on the network, and not just me, would see advertising.

Or maybe this is all the browser does? The site does not have access to all this nonsense, and the browser has. And it turns out from another browser will not be such an advertisement?

In general, here are my arguments, I did not find the answer either on the Internet or in my "mental experiments."

UPD . For those who do not understand. The crux of the matter is not how information is collected. This is nothing complicated. The essence is as follows.

Information is collected on one site, well, let service.com. But we go from another site drugoi.ru. And here on this site a service from service.com is installed, which receives some information from the service.com site (using the example that I gave, Yandex Direct is the data where the user climbed and what the user was looking for, or immediately finished advertising). But in order to do this, he (the service from service.com, which is installed on the site drugoi.ru) needs to send something so that the site service.com understands, "Yeah, so this is the same dude who was looking for a washing machine yesterday, keep styralok advertising. " And I can not understand what it is and how it is transmitted. Considering that in this case, the possibilities for cross-domain service requests are limited, as it is embedded in another site.

Here in the comments they wrote that they can be stored in cookies, and make an advertisement in the frame. But about these services do not use frames, as far as I know.

  • Why do you need to read cookies from another site? How do your various APIs or frames work in your browser? There is a request to Yandex, which sends back the desired token and on which later they either work with you or immediately the information. For example, a typical social network widget somehow conveys information that you are you. There is an even easier solution, just insert a frame. In this case, the issue of security is resolved, you can not get more than the system allows. - Alex Krass
  • That I understand that you do not need to read anything with cookies. It's just a very common mistake (for example, my teacher at the university is sure that advertising sites read cookies, by the way), so I said a word for this method. But I just do not understand how these widgets work, and that was the question. Yes, I also thought about the frame - the easiest option, but is it really all this advertising - a frame? It seems not. - Uraty
  • And yes, that’s just interesting to me. Here he transfers this token. But where does he get it from? Where do widgets from the same social networks understand that I am me? For the site itself, everything is simple - this is the cookie where the token is stored. But for this API? Cross-domain requests do not allow cookies to be sent. Or can these APIs be wrapped up in a special way? I hope now it is clear that I specifically want to know. - Uraty

2 answers 2

The site collects information about the client's search queries and stores it in its database or somewhere else, for example, in the same cookies. In general, it does not matter. Then you need to get this information from a third-party site. For this, cross-domain query technology can be used.

An example through iframe request.

The site that receives the information.

<html> <body> <div id="token"></div> <script> //Π›ΠΎΠ²ΠΈΠΌ Ρ‚ΡƒΡ‚ ΠΈΠ½Ρ„ΠΎΡ€ΠΌΠ°Ρ†ΠΈΡŽ со стороннСго сайта window.addEventListener("message", function (e) { document.getElementById("token").innerText = e.data; }, false); </script> <iframe hidden id="fr" src="http://token.my/"></iframe> </body> </html>

Site collector, from which we get, in this case from the cookies:

 <?php //Π‘Π±ΠΎΡ€Ρ‰ΠΈΠΊ ΠΈΠ½Ρ„ΠΎΡ€ΠΌΠ°Ρ†ΠΈΠΈ if(isset($_GET["secret_pass"])) { setcookie("secret_pass", $_GET["secret_pass"], time()+1000); echo $_GET["secret_pass"]; return; } ?> <html> <head></head> <body> <script> //провСряСм ΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»Ρ ΠΈ высылаСм Π΅ΠΌΡƒ ΠΈΠ½Ρ„ΠΎΡ€ΠΌΠ°Ρ†ΠΈΡŽ, ΠΊ ΠΏΡ€ΠΈΠΌΠ΅Ρ€Ρƒ Ρ€Π΅ΠΊΠ»Π°ΠΌΡƒ ΠΈΠ»ΠΈ secret_pass ΠΊ API parent.postMessage("<?php echo $_COOKIE["secret_pass"]; ?>", "*"); </script> </body> </html>

In this case, a request is sent via the iframe , but you cannot directly access it because of the Access-Control-Allow-Origin security policy. Only the sender's site provides you with the opportunity to receive this information by forwarding postMessage . After this is done, this information can now be intercepted via EventListener("message", ..., false); and use. Either immediately embed or use as token to a third-party API. This way we get the right key, advertisement, etc. from a third-party site.

If you want to know more, read about CORS, PostMessage, and possibly OAuth.

  • Yes, this is what I wanted to know) Thank you) I study this topic in more detail) - Uraty

On most sites there are metrics and other analytics. They transmit info about the user. Then it is collected and analyzed much more extensively than it is seen from the outside. + all sorts of social networks, etc., where in general users voluntarily merge such things about themselves ..

Not to mention the search in PS.