JavaScript和第三方Cookie [英] JavaScript and third party cookies
问题描述
说有一个站点 foo.com
从站点 bar.com
加载JavaScript。现在,假设来自站点 bar.com
的JavaScript尝试使用 document.cookies
读取cookie。我的印象是,使用JavaScript,您可以读取浏览器中设置的所有cookie,而不论它们的来源。但是事实证明,站点 bar.com
中的JavaScript只能访问 bar.com
设置的cookie,而不能访问任何其他。如果是这种情况,那么如何进行脚本注入攻击来窃取Cookie?
Say there is a site foo.com
which loads JavaScript from site bar.com
. Now, say the JavaScript from site bar.com
tries to read cookies using document.cookies
. I was under the impression that using JavaScript, you can read all the cookies set in the browser irrespective of their source. But it turns out that the JavaScript from the site bar.com
can only access cookies set by bar.com
and not any other. If this is the case, how are script injection attacks which steal cookies carried out?
推荐答案
事实证明,来自bar.com网站的JavaScript只能访问由bar.com设置的cookie,而不能访问其他任何cookie。
But it turns out that the JavaScript from the site bar.com can only access cookies set by bar.com and not any other.
不是真的重要的是包含< script>
元素的HTML文档在哪里,而不是说< script> 的JS文件的URL。 code>在src属性中提及。
That isn't true. What matters is where the HTML document containing the <script>
element is, not the URL of the JS file that said <script>
mentions in the src attribute.
我怀疑您的问题是您正在访问 document.cookies
将该属性称为 document.cookie
(单数!)
I suspect your problem is that you are accessing document.cookies
when the property is called document.cookie
(Singular!)
这篇关于JavaScript和第三方Cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!