Cookie Infrastructure at Meta

Tuesday, September 12, 2023 - 10:40 am11:00 am

Katriel Cohn-Gordon, Meta


If you run a website, you probably use cookies. To do this well, you need to make sure you know what cookies you set, enforce that you really don't set them before the user has agreed, prevent setting ones that users didn't agree to, enforce properties across all of your cookies, and minimise the developer overhead required to use them.

I'll talk about how we manage cookies at Meta, relying on a central cookie schema which is technically enforced via a simple developer-facing API. Developers statically declare the cookies that can be set on each domain, and only have access to read or write them via a central API which is aware of the user's choices. Since 3rd party cookies are set by other sites, we also make a schema for them, and use Content-Security-Policy (CSP) headers to block 3rd party embeds where a user hasn't agreed to them. The result is a system which is easy for developers to use but still lets us make strong technical guarantees about our cookie usage.

Katriel Cohn-Gordon, Meta

Katriel Cohn-Gordon is a software engineer on Meta's Privacy Infrastructure team, where he has worked on User Data Access, data transfers, cookies infrastructure, deletion, and other Privacy topics. Before moving to Meta he wrote pen-and-paper proofs for secure messaging protocols, and still dabbles in end-to-end encryption topics such as accountability for Javascript cryptography. He lives in London with his partner and a large collection of houseplants.

@conference {290817,
author = {Katriel Cohn-Gordon},
title = {Cookie Infrastructure at Meta},
year = {2023},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = sep

Presentation Video