Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are cookies sent with image requests?

People also ask

Are cookies sent with requests?

Cookies are sent with every request, so they can worsen performance (especially for mobile data connections). Modern APIs for client storage are the Web Storage API ( localStorage and sessionStorage ) and IndexedDB.

How are cookies sent?

Cookies are sent by the browser to the server when an HTTP request starts, and they are sent back from the server, which can edit their content. Cookies are essentially used to store a session id. In the past cookies were used to store various types of data, since there was no alternative.

Can images set cookies?

A request for an image is basically the same as a request for a html page. It uses the same request/response structure. So yes you can set a cookie on an image request. The request/response can be seen in most modern browsers.

How do I put cookies in GET request?

To add cookies to a request for authentication, use the header object that is passed to the get/sendRequest functions. Only the cookie name and value should be set this way. The other pieces of the cookie (domain, path, and so on) are set automatically based on the URL the request is made against.


Yes. HTTP doesn't distinguish between one kind of resource or another (image vs html).


The cookie will typically be included in any type of request, but the scenario you describe is what's known as a third-party cookie (that is, the cookie is set on a domain that is different than the domain of the loaded page) and most browsers offer a privacy setting to block third-party cookies.

A third-party cookie allows the owners of bar.com to place an image (say a banner ad) on foo.com and track the users of foo.com even though those users have never visited bar.com. This is a privacy concern and many users elect to block such cookies.


If third-party-cookies are not blocked by the user then most modern browsers will set or send cookies of the third party domain when a request is made to the third party web site. IE 6 has a different kind of blocking mechanism called leashing. wiki: A leashed cookie is a third-party cookie that is sent by the browser only when accessing a third-party document via the same first-party.


This question is old, but was the first result on Google for me, so I think it's worth clarifying how this works nowadays (2021).

When bar.com sets the cookie, they can specify a SameSite attribute.

If the cookie is set with SameSite=Lax (or the SameSite attribute is not specified), then the cookie will not be sent for requests for images/iframes/etc hosted on bar.com, but will be sent if the user clicks a link on your foo.com homepage that takes them to bar.com

If the cookie is set with SameSite=Strict, the cookie will not be included in requests to bar.com that originate from another webiste, including if the user clicks a bar.com link on foo.com.

If the cookie is set with SameSite=None, the cookie will be sent to bar.com, including requests for images.


Yes cookies are sent on all requests. This includes "img" and "script" as well as XMLHttpRquest calls from javascript and can be a security issue on script tags as scripts loaded by one website can load scripts from another site and will send their authentication cookies too. This can be exploited to steal data.