I was reading the Third-party cookies article on MDN and I can’t understand how the “link” variant works.

The article lists two ways how third-party cookies can be set:

1. A resource includes a resource from a different origin.
2. A link is clicked.

The first version is perfectly clear, a resource at https://alice.example includes a resource from https://bob.example and when the broswer fetches the resource from https://bob.example it comes with a Set-Cookie header. That cookie is a third-party cookie.

The second version I can’t understand, no matter how or how long I look at it, if a resource at https://alice.example contains a link (which I understand as <a href="...">...</a>) to a resource on https://bob.example, how can a third-party cookie be set?

• https://alice.example certainly cannot set a cookie on behalf of https://bob.example (nor vice-versa), that would be a monumental security violation.
• If https://alice.example sets a cookie for itself, it won’t be sent when the browser fetches the resource from https://bob.example when the user navigates to it clicking the link.
• If https://bob.example sets a cookie for itself when the user fetches the resource then it’s a first-party cookie, even if it’s created using information passed from https://alice.example through the query or body.

The exact wording in the article is:

Third-party cookies are sent in the following common situations: […] When a link is clicked on one site to navigate to another site.

and

Third-party cookies set when clicking on links to other sites are used for a variety of purposes. For example, you might have an affiliate link to a partner site and set a cookie when the user follows the link so that a reward banner can be displayed with a discount if a certain product is purchased or a commission can be paid back to the referrer.

and

Following a link to a third-party or interacting with third-party content embedded in an (for example, filling out a form or clicking a button) could result in cookies being set that put a user’s information in the hands of someone they didn’t expect.

The second quote especially confuse me, isn’t that a first-party cookie set by the partner site and the information passed a tracking parameter?