Google Chrome Allows Unauthorized Cookies

Updated March 5, 2012.

This site is no longer being maintained. Keep that in mind when reading through these pages.

Current versions of Google Chrome, Chromium and Chromium based browsers save cookies from certain domains even when the browser is told not to accept any cookies whatsoever. Cookies from Amazon, Blekko, CNN, Youtube, Yippy Search and Ecosia Search, to name some domains, bypass the user specified cookie settings. Some of these cookies expire with the session but some do not.

Blekko’s cookie expired in 2022 and Amazon’s in 2036. Unless the browser is set to delete cookies on exit, users who have disabled local storage are actually still accruing cookies when they are explicitly under the impression that this is not happening. See my bug report to track this issue further.

Update: Mar 5, 2012

Chrome stable (current version 17.963.65) is patched and the bug report is marked as fixed. Problem solved. Kudos to the Chrome and Chromium developers for moving quickly to get it worked out.

Update MAR 2, 2012: A patched Chrome stable is going through QA checks now so it should be sent out to users in a browser update early next week.

Update MAR 1, 2012: A patch to correct this has made it into the Chromium snapshots starting at build 124404. It should hit Chrome stable shortly.

Update FEB 29, 2012: Mike West of Chrome’s privacy team responded about the issue. Here’s what he had to say:

This bug seems to be related to the OpenSearch feature (i.e. it occurs on websites which register a search engine in the browser). The URLFetcher that is used to download the OpenSearch description document seems to accidentally disregard cookie settings.

The good news is that these cookies are not sent to the server for regular web requests (i.e. when you browse the website) if cookies are blocked in the content settings.

Share this page.