I was working on jsonP to send data from a cookie, from a domain A to a domain B. It works well, but my question is not here. I just realize that if I only put a script
tag on my domain B pointing to my domain A, all the cookies of my domain A are set on my domain B.
Example: I put this tag on my domain B :
<script src="/"></script>
Only with that, all the cookies of my domain A are set on my domain B. My question is, is it normal? I thought cookie need some hacks to be cross domain, but i didn't think it was that easy.
Sorry for my bad english, and apologize if my question is stupid or if it has been asked before.
Thanks in advance.
I was working on jsonP to send data from a cookie, from a domain A to a domain B. It works well, but my question is not here. I just realize that if I only put a script
tag on my domain B pointing to my domain A, all the cookies of my domain A are set on my domain B.
Example: I put this tag on my domain B :
<script src="http://mydomainA./"></script>
Only with that, all the cookies of my domain A are set on my domain B. My question is, is it normal? I thought cookie need some hacks to be cross domain, but i didn't think it was that easy.
Sorry for my bad english, and apologize if my question is stupid or if it has been asked before.
Thanks in advance.
Share Improve this question edited Dec 11, 2012 at 10:38 Anders R. Bystrup 16.1k11 gold badges63 silver badges58 bronze badges asked Dec 11, 2012 at 10:32 M4nch4kM4nch4k 4651 gold badge5 silver badges18 bronze badges 5- How are you setting the cookies? – Quentin Commented Dec 11, 2012 at 10:58
-
How did you e to the conclusion that cookies for domain
A
are sent to domainB
? Can you illustrate the process? – Raffaele Commented Dec 11, 2012 at 11:05 - I can put a ink link pointing any website in my script, all the cookies of this site are set on my domain B. I guess these cookies are set by php or javascript. I came to this conclusion because if there isn't the script tag including my domain A, i only have the cookies of my domain B. And when i put the link pointing my domain A into my script tag, i have the cookies of my dimain + the cookies of my domain A – M4nch4k Commented Dec 11, 2012 at 11:18
- The point is: where do you read cookies? – Raffaele Commented Dec 11, 2012 at 11:54
- Firefox, firebug, I guess there is an option set to allow cookies from other website and maybe it's only in Firefox – M4nch4k Commented Dec 11, 2012 at 14:45
1 Answer
Reset to default 5Cookies are simply headers in HTTP requests. When the browser requests
GET /foo
Host: a.
it receives a HTML document, which contains a <script>
tag hosted on another domain. So it fires another request:
GET /script.js
Host: b.
Cookie: foobarbaz
and it can certainly append cookies for domain b.
, if any. This means that the last time the browser contacted b.
, the HTTP response contained an header like
...
Set-Cookie: foobarbaz
...
and so subsequent requests to the same domain will maintain the session. When the browser requests another resource to a.
such as
GET /bar.jpeg
Host: a.
the cookie foobarbaz
set by b.
will not be sent along with the request, so the scripts on a.
don't have access to data from b.
.