What cookies can a js script loaded from an external domain access?
Question
Assume a web app (served over http) has a tag with a src that is another domain. The external script is doing things with cookies and/or localStorage. What domains cookies can it access?
<!-- on example.org --> <script src='http://anotherexample.org/script.js'> <!-- This script messes with cookies -->
My intuition tells me the the cookies that it manipulates are those that belong to example.org. But how does this work?
1 answers
solution1
4 2013-12-25 23:29:26
Your intuition is pretty much correct. Cookies were created before browsers began to implement same origin policy restrictions and, thus, are not generally protected by those policies. So when the script delivered by anotherexample.org accesses document.cookie it will see those cookies delivered by example.org in the original HTTP response.
The only significant exception is for "HttpOnly" cookies . If example.org chooses, it can designate cookies that it delivers as "HttpOnly"; those cookies cannot be accessed by any JavaScript code, whether from anotherexample.org or even example.org itself.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.