Cookie tracking

gistfile1.txt

https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
"4.3.  Tracking
   The proposals in this document do not in themselves mitigate the
   privacy risks described in Section 7.1 of [RFC6265bis].  Entities who
   wish to use cookies to track user activity from cross-site contexts
   can continue to do so by setting cookies that declare themselves as
   "SameSite=None".

https://web.dev/samesite-cookies-explained
"Additionally in Chrome, if you also enable the cookies-without-same-site-must-be-secure flag then you must also specify
SameSite=None cookies as Secure or they will be rejected. Note, this flag won't have any effect unless you also have same
-site-by-default-cookies enabled."
document.cookie = 'cross-site-cookie=bar; SameSite=None; Secure';

We need cookie tracking instead of finger print tracking in both cases:
1) Events tracking - impressions, clicks etc instead of client_uid field.
2) Smart tags - to match ads

I checked the possibility of set/ready cookie under our domain 'staticcdn.enzymic.co' and it seems possible.

# function to set cookie where for example:
# cname = 'enzymic_UID'
# cvalue = random hash
function setCookie(cname, cvalue, exdays) {
  var d = new Date();
  d.setTime(d.getTime() + (exdays*24*60*60*1000));
  var expires = "expires="+ d.toUTCString();
  document.cookie = cname + "=" + cvalue + ";" + expires + ";path=/";
}

# function to get cookie by specific cname
function getCookie(cname) {
  var name = cname + "=";
  var decodedCookie = decodeURIComponent(document.cookie);
  var ca = decodedCookie.split(';');
  for(var i = 0; i <ca.length; i++) {
    var c = ca[i];
    while (c.charAt(0) == ' ') {
      c = c.substring(1);
    }
    if (c.indexOf(name) == 0) {
      return c.substring(name.length, c.length);
    }
  }
  return "";
}

# more about cookies and js https://www.w3schools.com/js/js_cookies.asp

1. Events tracking
For events tracking we can do next way:
When we show ad_unit to user we try to read our cookie.
If cookie empty - then calculate new value and set cookie to user's browser. 
If cookie present - read it's value.
Then use cvalue as UID attribute and send it with event to stats.

2. Smart tags
I think we can do the same as for 'Event tracking'. The cname should be another 'smart_tag_UID'. 
But we need set cookie for another domain. 
Because we send smart_tag_event from customer's domain, for example www.fairprice.com.sg. 
Need to investigate how we can do this. Here some articles https://stackoverflow.com/questions/6761415/how-to-set-a-cookie-for-another-domain

Lets say a.com is fairprice and b.com is staticcdn.enzymic.co
"You can't, but... If you own both pages then...
1) You can send the data via query params (http://siteB.com/?key=value)
2) You can create an iframe of Site B inside site A and you can send post messages from one place to the other. 
As Site B is the owner of site B cookies it will be able to set whatever value you need by processing the correct post message."

If we can do this, then during ad_unit showing to user we can read the cookie and match the right ads for this user 
as we do now at static ads_controller.

I also studied these possibilities and in this regard I have questions:

1. What is the purpose of using cookies? In my opinion, the goal is to unequivocally and at any time identify the user so that he can show unique content. There are no problems with the cookies themselves (how to install them, read, etc.). The question is how to set the user a unique id (aka "cname") so that we can get it today and tomorrow, and in a week. This raises the following question: if we can do this, then why do we need cookies? Now fingerprinting is used for these purposes.

2. Smart tags. With regard to the above, I can say the following:

The user agent will reject cookies unless the Domain attribute specifies a scope for the cookie that would include the origin server. For example, the user agent will accept a cookie with a Domain attribute of "example.com" or of "foo.example.com" from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of "bar.example.com" or of "baz.foo.example.com".
NOTE: For security reasons, many user agents are configured to reject Domain attributes that correspond to "public suffixes". For example, some user agents will reject Domain attributes of "com" or "co.uk".

In general, the use of cookies in the iframe user browser uniquely refers to the "3-d party". And, for example, in the case of Safari is blocked by default.

As mentioned, fingerprinting will be disabled by Chrome soon. So we need to move away from using Fingerprinting and have to do it asap. I'm not sure about Dima code. But what I envision is that we will set the cookie when smart tag is activate by user. This cookie is unique for each user and we will store the unique id (UID) of this cookie. And when our ad is serve, we will read the cookie, and if the UID matched with the cookie identified through smart tag, we will serve the ads that associate with this cookie.

Yes. our cookie will be using 3rd Party cookie and understand that safari or Apple ITP will block this. But this is the general issue for all cookie tracking. At least we are level setting to be align with whole adtech industry who are using cookie tracking.