I'm making a website which loads images from various sources, without knowing which these sources can be.
Some of these image hosts do set cookies when requesting an image (e.g. Imgur) even though this cookie is not necessary.
Is it possible (using a HTML header or some javascript) to add a whitelist to my website which states which domains are trusted and are allowed to set cookies, blocking all other third-party cookies?
Related
Let's say I have a website (https://example.com), if I have an image on that website that is from my second website (https://example2.com), will Chrome store the cookies that it got from that image?
Like on the image, if I set the Set-Cookie header to store a cookie saying that the image was fetched, will chrome save the cookie in the browser and if I were to visit https://example2.com, I would be able to see that my browser had fetched an image from my servers before.
Yes, these are third-party cookies and work just as you describe. The browser will save them under the domain of the specific resource they were sent under, and re-send them on future requests to that domain, whether they are top-level page requests or sub-resource requests (e.g., an image).
The server must authorize a cookie to be sent as a third-party cookie via the SameSite=None cookie attribute. This also requires use of the Secure attribute, meaning in practice that third-party cookies can only be sent over HTTPS.
Third-party cookies currently work (as of July 2021) in modern browsers, but are blocked by default in Chrome's Incognito mode:
Third-party cookies are a major part of how cross-site tracking works: when any site embeds an advertisement or tracking image as a cross-site <img>, the foreign site serving the embedded image may send and read cookies for their domain, allowing them to know who they're serving ads for. (Have we seen this user before on any other partner sites? Do we have ads relevant to our understanding of this user's browsing habits?)
However, Google is trying to cease use of third-party cookies in advertising, so their future is somewhat uncertain.
I have a simple use of third-party cookies on my Arqade profile, which embeds a remote image from repl.co. The image is served with a unique cookie (and thereafter requested with that same unique cookie) to persistently control the same character in a game. There is no other communication with repl.co needed to establish this cookie relationship besides the embedded image.
I have clients(A, B) and they use my service.
They have domains and they include same javascript to their websites.
The javascript communicates with my server and saves cookies to the domain.
The cookies are the infomation about a connected user and cookies are different by user.
I assume they use same browser.
So if a user connect to A website and connect to B website, I want to save same key information to their cookies.
Is their way to do this?
You cannot access cookies for other domains, but you can set up a third domain tracking.example, and then request any resource (e.g. a 1pixel image) from that domain.
To read the cookie from one of the websites, either use a CORS-enabled endpoint, e.g. https://tracking.example/getuserid, that allows client-side code on the website to read out the cookie or an ID that is associated with it, or embed an iframe from tracking.example and use inter-frame-communication.
Note that for privacy reasons, third-party cookies are being restricted, or even totally blocked by some browsers and configurations. There is no replacement for third-party cookies, while there are ways to identify users without cookies, they are nowhere near 100% accurate, may violate local laws, and are intended to be by browsers.
If both websites manage logins, you can of course use the logged-in email address as an ID.
I am implementing one advertising system in which when one user puts down script code into their website A. what I want to do at that time is set up a cookie into website A while it display response or resource of website B(Advertising System), so in present day when user comes again , I can log it's entry. I have read down this question and came to know that it is possible to set cookie into other website A when that website A is display content from another website B
In script I am executing one rest API and returning one response like below..
source_image = "http://example.com/media/format.png"
response = Response({'success':source_image})
response.set_cookie( 'cookie_name', 'cookie_value' )
return response
Now I am able to see cookie set in browser of the response of this url. But when I reload it ,cookie does not get display. Also why it is not getting display in the cookies section of the site in which I have put down script code.
Am I doing right thing to set up a cookie? And I have tried to set cookie's expiry date for 1 day. But still it is getting destroyed..Please help..
There are a few important things to know about cookies and browsers and how they interact across domains.
Websites can set cookies for their own website
Websites cannot set cookies for a different website
Cookies can be set on the response or using things such as JavaScript
The first two may seem confusing, especially when some sources say they are possible. It's important to note that they only affect cases where the response is directly setting the cookie using the Set-Cookie header, which allows a website to directly set a cookie. There are some special cases for things like subdomains, but in general you should not expect browsers to respect cookies set on other domains that you don't control.
If you were allowed to arbitrarily set cookies on other websites, this would open the door for websites to arbitrarily set and unset cookies you are using, even if they are unrelated. This would include the ability to log someone out across domains in just the response alone, which isn't possible.
The third point is important for cases like advertising, as cookies can be set using the Set-Cookie header (or response.set_cookie in Django) or using JavaScript through the document.cookie property. As JavaScript can included from any domain using the src property on <script> tags, any domain can manage cookies on another domain if it is included through JavaScript. This is important to how many analytics services, such as Google Analytics, work becuase it allows them to store unqiue cookies on each website for each user that is being monitored, even though they do not have full control over the response. They also typically use tracking beacons in the form of images to send data back to the external domain and associate it with the stored cookie.
The answer you linked to talks about this with images, but explains that it does not actually set the cookie on another domain. The cookie which is being set using the image or frame is stored only on the external domain, and cannot be accessed from the domain including the remote image.
Make sure that the HTTP header of "Set-Cookie" is being passed to the client in the HTTP response.
Try adding in the "domain" attribute for the cookie so the browser knows where to send the cookie.
I have the main website hosted by a reliable static web hosting service. Which only allow me to host static files like html, css, js etc. Now I have few requirements which would need user Login and data storage. I think I can handle this using App Engine Python.
My app is similar to a Voting module, So i will explain it using its example.
My plan is to configure things something like this:
main website: www.example.com
appengine: gae.example.com
On the main website an anonymous user visits: http://www.example.com/vote.html, he should see current voting status (which has been retrieved from app engine). and a login button (from twitter/facebook). when he logins, he should be able to cast his vote and the vote be saved back to the appengine server.
I can handle most of the things but two. (taking same origin policy into account.)
How do I maintain authentication between two domain names. i.e. www.example.com and gae.example.com.
How do I make HTTP POST request to the gae.example.com from www.example.com and use the returned json data.
Note: I want to avoid iframes as much as possible.
You need to use JSONP.
Subdomains actually violate the same origin policy. This is because some hosted solutions provide subdomains for different users. This would allow users to attack each other's sites.
See: Same Origin Policy - AJAX & using Public APIs
You can maintain login between the two sub-domains by making sure that the login cookie is set on the root domain with subdomain access allowed. The sub-domains will be able to access the cookies of the root domain. See https://serverfault.com/questions/153409/can-subdomain-example-com-set-a-cookie-that-can-be-read-by-example-com for some examples.
I don't believe you can make ajax calls directly to another sub-domain. If the target sub-domain is cooperating and supports JSONP, you can do it that way (you end up inserting a script tag with a call to a script and that script calls you back with the data). Because the loading of scripts isn't subject to the same origin policy, you can work around it, but the target sub-domain has to be configured to allow and support JSONP.
I am developing a web app that is served from domain.ext. This web app uses cookie–based sessions and provides users with the ability to host a web pages containing custom JavaScript on a subdomain, ex. sub1.domain.ext, sub2.domain.ext. The subdomains do not use cookie–backed sessions.
Given this setup, is it possible to ensure the following?:
users at sub1.domain.ext cannot read or write a cookie for domain.ext (i.e. domain.ext sessions cannot be stolen or hijacked by JavaScript embedded in a page at sub1.domain.ext).
JavaScript embedded in a page at sub1.domain.ext cannot read or write cookies at sub2.domain.ext, and vice versa.
I’ve tested out a few things, for example it appears to be possible to interact with domain.ext’s cookies from sub1.domain.ext by running document.domain = 'domain.ext' inside the sub1.domain.ext’s window. Is there some way to prevent this, for example by specifying some kind of policy when setting the domain from domain.ext?
You can't specify that a cookie should only be valid for example.com by setting the domain parameter. If you set domain=example.com, it will be valid for *.example.com.
Setting a cookie on example.com without a domain parameter sets a cookie for only example.com in most browsers. But not IE.
So, if you ever want to have subdomains with separate cookie contexts, you should serve your site from www.example.com only. As Gaby said, naturally you can still support access through example.com by giving a 301 redirect to the www version.