[zo1]

Of course they do. It uses an IFrame request to the Google.com domain (so that the "host" website doesn't see any details before you login). Google can however see who you are because your auth cookies and what-not will be sent along with that Iframe request on whatever host website decides to use this pattern. See: Medium

A further issue with this is that Google knows you're on that website because the referrer and request headers will have that on the IFrame request.

Edit. I think I replied on the wrong post here.

[thw0rted]

Just to be totally clear, this is how tracking cookies work everywhere. The site you visit includes an iframe with an ID "X" that identifies itself, the iframe loads `trackingsite.com?id=X`, the request includes your cookies for that domain (or at least the ones that are allowed for an iframe request), now `trackingsite.com` logs a visit to Site X from the user holding Cookie Y.

There's a fundamental conflict between privacy and convenience, because I have to either allow no third-party cookies, which means no one can embed any authenticated content from a third-party context (think Disqus comments on a blog), or I have to allow third-party tracking. The middle ground -- allowing some third-party cookies but not others -- is a UX nightmare. Just trying to explain the situation to an average user, at all, is nearly impossible, much less interrupting every visit to every site with "Can I use cookies from {site 2} here? How about {site 3,4,5...112}?".