I remember losing a bet a while back, because I was naive enough to think that was how cookies worked in the first place. Why did other sites ever have access to cookies they didn’t create was beyond me.
> Why did other sites ever have access to cookies they didn’t create was beyond me.
They don't.
If you go to example.com, and it loads an ad on tracker.com, then tracker.com will create a cookie. example.com WILL NOT be able to see that cookie. Likewise, if you were to log into example.com, tracker.com WILL NOT see the example.com cookie.
What happens (Without third party cookie blocking or FF's TCP) is if you then go to anothersite.com, and it also loads an ad from tracker.com, then the same cookie sent to it while visiting example.com will be sent, resulting in tracker.com knowing that you visited both sites. The admins of both example.com and anothersite.com will then be able to look at analytics and see that the visitors of their site also visit the other.
At no point is one site ever able to see a cookie they didn't create. Otherwise, this would be a MASSIVE security hole as it would make session stealing trivial.
However, a site is able to see a cookie they created while visiting another site.
Maybe this is what you meant, but it wasn't entirely clear.
You don't need access to cookies you didn't create to do cross-site tracking.
Think: Disqus or Facebook comments at the end of articles, which used to be pretty ubiquitous. You'd be logged in and able to comment on any website using a cookie set by Disqus or Facebook, so you wouldn't have to log in or register on each individual website.
This Total Cookie Protection will break that. Your Disqus-set login cookie set on site A won't be visible when you're on site B, so you won't be logged in to Disqus there.
