Share cookies with other domains

Question

I know that it's possible to allow other domains to read our domain cookie as long as they're sub domains of the same parent domain.

For example, intranet.abc.com and extranet.abc.com can allow cookies to be read by each other by specifying the domain property to .abc.com

Now, I'm really in need that I can allow other domains to read my domain cookie (they are not sub domains of the same domain). I have searched a lot of discussions on the internet => all say "NO" due to security issues. I'm not sure if I missed a solution out there because I don't see any security issues in this case. My server clearly ALLOWS this cookie to be read by an XYZ.COM domain because the cookie does not contain any sensitive information and XYZ.COM domain is my trusted domain,

In my opinion, there should be a way to specify a list of other domains that are allowed to read a particular cookie in our domain, just like CORS, the server can decide if the information should be available to some trusted domains.

Please tell me if it's possible without using a workaround and if so, how to do it? If it's not possible, I really would like to know why.

Some information about what I'm implementing:

I'm implementing a file download and on client side I need to detect whether the download is complete by periodically checking for a download token in the cookie using an interval in javascript.

The logic of the current system I'm working on at the moment may store the files in 2 different servers. If the file is missing in the current server, it will download file in another server (another domain)

Thank you very much.

Answer 1

You can read off-domain cookies by opening an iframe to specially instrumented page on the other domain and using the window.postMessage API to communicate between windows. HTML5 only, obviously.

Simplifying the postMessage API somewhat for brevity, consult MDN developer pages for full details. https://developer.mozilla.org/en-US/docs/Web/API/Window.postMessage

<iframe id="ifrm" src="http://other.domain.com/getCookie.html"></iframe>
<script>
    var iframe = document.getElementById('ifrm');

    window.addEventListener('message', function (e) {
         if (e.source === iframe.contentWindow && e.origin === 'other.domain.com') {
             var cookie = e.data;
            //do something with cookie
         }

     }); 
    //wait for the iframe to load...maybe ping it first...then
    iframe.contentWindow.postMessage('give me the cookie:cookie name', 'other.domain.com');
</script>

    /* in getCookie.html */

<script>
    window.addEventListener('message', function (e) {
        if (e.origin === 'your.domain.com') {
             var soughtCookie = /give me the cookie\:(.*)/.exec(e.data)[1];
             // read the cookie
             var cookie = getCookieFn(soughtCookie)
             e.source.postMessage(cookie.toString(), 'your.domain.com');
        }
    }, false);
</script>