HTML elements which also sends a cookie for crossDomain request?

Question

One of the first earlier hacks of a major social website ( using old browser) was :

• login to the site, so you got a cookie
• create script tag which reference the "get friends list" url
• override the array constructor via JS and since the <script> tag does send a cookie , the request is authenticated and response with pure JSON (unrunnable) code - but since we override the array ctor , we can get the data.

That's fine ( that was a preview to my question).

Question

• What is the complete list of elements which also send a cookie for a cross domain request ?

Answer 1

Wouldn't it be more accurate to say that any resource requested by the browser to a certain domain, would send the cookies in the request. So really, any elements that "loads" any resource from a server would have the cookies sent. So I'd say images, json files, html/php files, external CSS files and probably web fonts would send cookies. This could be one of the reasons why you would want to host your resources (scripts,CSS files, images) on another domain as an optimisation thing.

This JSFiddle is mostly a proof that CSS files can "remember".

HTML

<link href="remember.php?.css" rel="stylesheet"/>
<a href="#" id="red">Remember Red</a>

Javascript

red.onclick=function(e){
   var img=new Image()
   img.src="remember.php?col=red"
   return false   
}

remember.php

if(isset($_GET["col"])){
    $_SESSION["fav_color"]=$_GET["col"];
}

echo "body {
 color:".htmlentities(@$_SESSION["fav_color"] ?: "blue")."  
}";

So what should happen is that, when we load an image with URI remember.php?col=red, the server will remember that the color value even on refresh. Same principal with images and I would assume web fonts.

---

Another example are images. Which should send cookies, when loaded. Though, for example, stackoverflow.com hosts the images in another domain (in this case the layout stuff is on cdn.sstatic.net/stackoverflow/img/sprites.png ). And even if it did send, we wouldn't normally know if cookies was sent unless the cookie affects the image somehow. But if we check with the developer tools we would actually note that cookies do get sent. For example:

An image hosted on php.net

Same image on a different domain

As you can see, the cookies do get sent. Even when cross-domain. As further proof, the remember.php demo but with images.

Demo

HTML

<img src="http://mfirdaus.net/random/so/remember_image.php"/>
<a href="#" id="toggle">Toggle Image</a>

Javascript

toggle.onclick=function(){
    var img=new Image()
    img.src="http://mfirdaus.net/random/so/remember_image.php?toggle"
    img.onerror=function(){
        window.location=window.location   
    }
return false
}

remember_image.php

if(isset($_GET["toggle"])){
    $_SESSION["like_cats"]=!@$_SESSION["like_cats"];
    die();
}

echo file_get_contents(@$_SESSION["like_cats"] ? "cat.jpeg" : "duck.jpeg" );

In this demo, the cookie does affect the image hence, it's easier to tell that the cookies get sent with images.

---

Now whether this resource contains privileged data (such as the JSON data that contains the friendlist) and the page calling this resource have the capability to use this privileged data (in this case, by doing magic javascript stuff to exploit the JSON) is another matter. Browsers should be safe enough that most of the obvious vectors should be secured. We can't even access other domain's images directly to put in canvases due to security. But of course there will be those pesky bugs and exploits for browser vendors to deal with.

I used to use this fact to make a Firefox extension that just scraped authenticated pages of a website to show a sidebar with parsed data, because ajax in Firefox extensions doesn't have the same-domain restrictions as normal pages, and I didn't have to bother to do anything special to authenticate because ajax sends the cookies as one would expect.