Assume a web app (served over http) has a tag with a src that is another domain. The external script is doing things with cookies and/or localStorage. What domains cookies can it access?
<!-- on example.org --> <script src='http://anotherexample.org/script.js'> <!-- This script messes with cookies -->
My intuition tells me the the cookies that it manipulates are those that belong to example.org. But how does this work?
Your intuition is pretty much correct. Cookies were created before browsers began to implement same origin policy restrictions and, thus, are not generally protected by those policies. So when the script delivered by anotherexample.org
accesses document.cookie
it will see those cookies delivered by example.org
in the original HTTP response.
The only significant exception is for "HttpOnly" cookies . If example.org
chooses, it can designate cookies that it delivers as "HttpOnly"; those cookies cannot be accessed by any JavaScript code, whether from anotherexample.org
or even example.org
itself.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.