Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JavaScript and third party cookies

Say there is a site foo.com which loads JavaScript from site bar.com. Now, say the JavaScript from site bar.com tries to read cookies using document.cookies. I was under the impression that using JavaScript, you can read all the cookies set in the browser irrespective of their source. But it turns out that the JavaScript from the site bar.com can only access cookies set by bar.com and not any other. If this is the case, how are script injection attacks which steal cookies carried out?

like image 340
roger Avatar asked Jul 29 '10 14:07

roger


1 Answers

But it turns out that the JavaScript from the site bar.com can only access cookies set by bar.com and not any other.

That isn't true. What matters is where the HTML document containing the <script> element is, not the URL of the JS file that said <script> mentions in the src attribute.

I suspect your problem is that you are accessing document.cookies when the property is called document.cookie (Singular!)

like image 90
Quentin Avatar answered Oct 05 '22 22:10

Quentin