Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

why browsers allow setting cookie on the parent (cross) domain of an iframe?

Tags:

browser

cookies

iframe

privacy

user-tracking

Why can a site (a.com) having an iframe to another domain (b.com) have its cookie viewed and changed by that other domain document?

Just saw this happening in an Ad, and went to do a proof of concept, and it worked... here's what i did: first, pointed a.com and b.com to my test machine IP.

then i have: http://a.com/a.html (this would be the site where i saw the ad)

<html><body><script src="http://b.com/b.js"></script>

http://b.com/b.js (this would be the ad script inserted inline in the site, pointing to the advertiser company domain)

document.write('<iframe src="http://b.com/b.html"></iframe>');

in http://b.com/b.html:

<html><body><script>document.cookie = "test=1;domain=.a.com;path=/;expires=Tue, 30 Oct 2012 02:47:11 UTC";</script></body></html>

and after i run that, in firefox 14 stock, i have a cookie in a.com.

what governs that? where is this behavior defined?

like image 792
gcb Avatar asked Oct 08 '12 20:10

gcb

1 Answers

In my opinion, it is due to the combination of CORS mechanism and by the fact that most browser allowing third party cookies by default.

You will find useful information on the developper Mozilla Cookies webpage:

While first-party cookies are sent only to the server setting them, a web page may contain images or other components stored on servers in other domains (like ad banners). Cookies that are sent through these third-party components are called third-party cookies and are mainly used for advertising and tracking across the web.

[...] Most browsers allow third-party cookies by default

To avoid this default settings, you will may be concerned by the SameSite cookies which:

let servers require that a cookie shouldn't be sent with cross-site requests

but

SameSite cookies are still experimental and not yet supported by all browsers.

Take also a look on CORS (Cross-Origin Resource Sharing) documentation, where you can read that:

The CORS mechanism supports secure cross-domain requests and data transfers between browsers and web servers. [...]

This cross-origin sharing standard is used to enable cross-site HTTP requests for:

[...]

  • Scripts (for unmuted exceptions).

You may also note in the developper Mozilla Security Same-Origin webpage that <frame> and <iframe> are ressources which may be embedded cross-origin

If you are concerned and would not accept any third-party cookie on Firefox, you may still install the Privacy Badger adds-on (made by the EFF), but this solution require access on the user browser.

like image 115
A STEFANI Avatar answered Sep 18 '22 18:09

A STEFANI
Sign in to Comment

Related questions

How to "allow-from" more than one domain for "X-Frame-Options" in Rails 4 controller?
Cross-Domain iframe communication
Submitting a form in an iframe with JavaScript
Selenium WebDriver: How to wait for iFrames to load completely?
SSL iframe in and SSL page from a different domain
communication between two iframe children using postMessage
python beautifulsoup iframe document html extract
How to do auto-width with HTML IFrame
Does html5 local storage store per iframe?
How to set X-Frame-Options in express.js node.js
jQuery add iFrame with content
Iframe does not trigger resize event
Hide/show in JavaScript - stop playing YouTube iframe video [closed]
How to postMessage into iFrame?
How to set X-Frame Options to ALLOW-FROM https://example.com and SAMEORIGIN on server
HTTPS iframe inside a HTTPS page not working
load iframe in bootstrap modal
xhttp is not defined when using ajax calls into an iframe
How to allow iframe embedding only for whitelisted websites?
Preventing child iframe from "breaking out of frame"

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!