JavaScript和第三方Cookie [英] JavaScript and third party cookies

问题描述

说有一个站点 foo.com 从站点 bar.com 加载JavaScript。现在，假设来自站点 bar.com 的JavaScript尝试使用 document.cookies 读取cookie。我的印象是，使用JavaScript，您可以读取浏览器中设置的所有cookie，而不论它们的来源。但是事实证明，站点 bar.com 中的JavaScript只能访问 bar.com 设置的cookie，而不能访问任何其他。如果是这种情况，那么如何进行脚本注入攻击来窃取Cookie？

Say there is a site foo.com which loads JavaScript from site bar.com. Now, say the JavaScript from site bar.com tries to read cookies using document.cookies. I was under the impression that using JavaScript, you can read all the cookies set in the browser irrespective of their source. But it turns out that the JavaScript from the site bar.com can only access cookies set by bar.com and not any other. If this is the case, how are script injection attacks which steal cookies carried out?

推荐答案

事实证明，来自bar.com网站的JavaScript只能访问由bar.com设置的cookie，而不能访问其他任何cookie。

But it turns out that the JavaScript from the site bar.com can only access cookies set by bar.com and not any other.

不是真的重要的是包含< script> 元素的HTML文档在哪里，而不是说< script> 在src属性中提及。

That isn't true. What matters is where the HTML document containing the <script> element is, not the URL of the JS file that said <script> mentions in the src attribute.

我怀疑您的问题是您正在访问 document.cookies 将该属性称为 document.cookie （单数！）

I suspect your problem is that you are accessing document.cookies when the property is called document.cookie (Singular!)

这篇关于JavaScript和第三方Cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！