Reputation: 465
Cross domain cookie with script tag?
I was working on jsonP to send data from a cookie, from a domain A to a domain B. It works well, but my question is not here. I just realize that if I only put a script tag on my domain B pointing to my domain A, all the cookies of my domain A are set on my domain B.
Example: I put this tag on my domain B :
<script src="http://mydomainA.com/"></script>
Only with that, all the cookies of my domain A are set on my domain B. My question is, is it normal? I thought cookie need some hacks to be cross domain, but i didn't think it was that easy.
Sorry for my bad english, and apologize if my question is stupid or if it has been asked before.
Thanks in advance.
Upvotes: 5
Views: 8847
Answers (1)
Reputation: 20875
Cookies are simply headers in HTTP requests. When the browser requests
GET /foo
Host: a.com
it receives a HTML document, which contains a <script> tag hosted on another domain. So it fires another request:
GET /script.js
Host: b.com
Cookie: foobarbaz
and it can certainly append cookies for domain b.com, if any. This means that the last time the browser contacted b.com, the HTTP response contained an header like
...
Set-Cookie: foobarbaz
...
and so subsequent requests to the same domain will maintain the session. When the browser requests another resource to a.com such as
GET /bar.jpeg
Host: a.com
the cookie foobarbaz set by b.com will not be sent along with the request, so the scripts on a.com don't have access to data from b.com.
Upvotes: 5
Related Questions
- JavaScript and third party cookies
- Cross-domain-cookies - a maybe new idea
- Set a cookie in JS on the script domain
- Cookies on cross domain requests
- Setting cookie for different domain from javascript
- Cross Sub Domain Cookie
- Share credentials with cross domain script tag in Firefox
- HTML elements which also sends a cookie for crossDomain request?
- Cross Domain Cookies with jQuery and jQuery Cookie
- Cookies inside script-tag include on cross domains