If I use an image, stylesheet, webfont, or other non-script resource from an external site (e.g., hotlinking, embedding, or linking), can that site set a third-party cookie on a user's device when they visit my web site? Are there any HTML elements (besides script, applet, iframe, object, or embed) that can be used to set a third-party cookie by using an external URL in a src or href attribute?
I am aware that you can do some trickery on your web server to, for example, handle a .jpg file as if it's a different file type (.php, .aspx, etc.) which could set a cookie as well as return stylesheet content. I'm specifically asking if a "real" image or other resource could be used to set cookies.
I'm not trying to do this, I'm trying to prevent it. This question occurred to me while trying to make sure a web site was fully GDPR and ePrivacy compliant. I know GDPR questions are not allowed, and I'm not asking for legal advice. This is more about curiosity on the security and privacy issues that can result from seemingly "safe" sharing of third-party content.
Yes
Cookies can be set by response headers, therefore any website resource outside Your control can set his cookie. Of course cookie will be visible/accessible only for its domain (not Yours).
This is GDPR privacy concern for You, because 3rd party companies can trace user this way, moreover they see client IP and browser sign which can be interpret as privacy problem too.