I am setting the cookie from a local HTML file as below using cookie.js library
$.cookies.set("Demo","Dummy Data");
From another domain I am trying to get the cookie value using below code
alert($.cookies.get("Demo"));
But it is returning me null.
Please help me on this
This is by design. You can only get the value of a cookie which was set on the current domain.
What you are asking for is not possible due to the security measures built in to web browsers.
The best alternative is to make a JSONP AJAX request which can cross domains.
You can not read a cookie set by another domain.
Take a look at this thread about cross-domain cookies:
Cross domain cookies
Basically, this is a security feature. If domain.com set a cookies, domain1.com should not have any access to it, otherwise you could get authentication tokens and other stuff for any website.
Unfortunately, it is returning null because cookies from another domain are not accessible. This is a security feature.
Consider, for example, your session cookie for some website. If I could access that cookie via JS on another domain, then my malicious website (that I trick you into visiting), can then take that session information and give it to some hacker. Then it becomes much more likely that the hacker can hijack your session. All too commonly, there are not other measures in place to make sure that the session used is used by the same person, so all a blackhat needs is the ID and voila - total access as you to the website. Say you're logged into your bank on one window, and then have my hacked evil webiste open in the other... now I might be able to access your bank account. Whoops!
So - it's not possible, and for good reason!
Indeed, this is not possible because of SOP (Same Origin Policy).
You can solve this problem with cross domain methods like: postMessage, JSONP, xmlHttpRequest or iframe to name a few.
However, you have to be concerned about security issues. This podcast explain how to breack cross domain barrier. The posts below also have solutions for your problem.
Stackoverflow Posts
How do I set cookies from outside domains inside iframes in Safari?;
Resizing an iframe based on content;
Related
I'm developing a page/form for a campaign inside my company. However, the first step is to check if the person is logged in. This is easily checked against a cookie - CUSTOMER - that is set once they're logged in.
However:
1) I'm developing locally, not on the same domain, and, as a result can't see that cookie
2) The final campaign may or may not end up residing on the actual domain. They may end up using a vanity URL or something.
For purposes of this, let's assume I do NOT have access to the main domain where the cookie was set.
How can I read that cookie from off the domain? Oh, and since IT folks don't let us touch the back-end grumble, it has to be a JS solution.
Thanks!
You can't.
The only cookies you can read with client side JavaScript are those belonging to the host of the HTML document in which the <script> is embedded.
By setting withCredentials you can support cookies in cross-origin requests, but they are handled transparently by the browser and JS has no direct access to them (the XHR spec goes to far as to explicitly ban getAllResponseHeaders from reading cookie related headers). The only way for a cross-origin request to get access to cookies is for the server (which you say you don't have access to) to copy the data into the body or a different response header).
You can if you can install server side components.
You can use a dedicated domain to host your cookie and then share it using XSS technics
When dom1.foo.com logs in then you register a cookie on cookie.foo.com using an Ajax XSS call then when you go on dom2.foo.com you have to query cookie.foo.com with your XSS api
I' ve played with it some time ago
https://github.com/quazardous/mudoco/blob/master/mudoco/README.txt
It's just some sort of POC..
I am implementing one advertising system in which when one user puts down script code into their website A. what I want to do at that time is set up a cookie into website A while it display response or resource of website B(Advertising System), so in present day when user comes again , I can log it's entry. I have read down this question and came to know that it is possible to set cookie into other website A when that website A is display content from another website B
In script I am executing one rest API and returning one response like below..
source_image = "http://example.com/media/format.png"
response = Response({'success':source_image})
response.set_cookie( 'cookie_name', 'cookie_value' )
return response
Now I am able to see cookie set in browser of the response of this url. But when I reload it ,cookie does not get display. Also why it is not getting display in the cookies section of the site in which I have put down script code.
Am I doing right thing to set up a cookie? And I have tried to set cookie's expiry date for 1 day. But still it is getting destroyed..Please help..
There are a few important things to know about cookies and browsers and how they interact across domains.
Websites can set cookies for their own website
Websites cannot set cookies for a different website
Cookies can be set on the response or using things such as JavaScript
The first two may seem confusing, especially when some sources say they are possible. It's important to note that they only affect cases where the response is directly setting the cookie using the Set-Cookie header, which allows a website to directly set a cookie. There are some special cases for things like subdomains, but in general you should not expect browsers to respect cookies set on other domains that you don't control.
If you were allowed to arbitrarily set cookies on other websites, this would open the door for websites to arbitrarily set and unset cookies you are using, even if they are unrelated. This would include the ability to log someone out across domains in just the response alone, which isn't possible.
The third point is important for cases like advertising, as cookies can be set using the Set-Cookie header (or response.set_cookie in Django) or using JavaScript through the document.cookie property. As JavaScript can included from any domain using the src property on <script> tags, any domain can manage cookies on another domain if it is included through JavaScript. This is important to how many analytics services, such as Google Analytics, work becuase it allows them to store unqiue cookies on each website for each user that is being monitored, even though they do not have full control over the response. They also typically use tracking beacons in the form of images to send data back to the external domain and associate it with the stored cookie.
The answer you linked to talks about this with images, but explains that it does not actually set the cookie on another domain. The cookie which is being set using the image or frame is stored only on the external domain, and cannot be accessed from the domain including the remote image.
Make sure that the HTTP header of "Set-Cookie" is being passed to the client in the HTTP response.
Try adding in the "domain" attribute for the cookie so the browser knows where to send the cookie.
Given a cookie with the common attributes (name, id, etc), is there anyway we can identify if the cookie is a third-party cookie? By that we mean a cookie that has been placed by website B while visiting website A. At the moment, I can see no ways of achieving that but perhaps I've missed something. I'm working on a project related to user privacy online and would like to get a list of websites that left third-party cookies in user's browser. I use Mozilla Firefox Browser.
There's no way to tell when looking at the store of cookies. The issue is that a cookie is always first party with respect to some site; the third-party-ness relates to the provenance of the cookie. The only way to identify if a cookie was a third-party cookie is to examine the actual header which set the cookie and see if that cookie was set for a domain other than the originating one. Everything is made far more complex by the fact that a cookie can be set for a whole domain (thus foo.bar.com is allowed to set for .bar.com so that grill.bar.com will also see the cookie) and determining whether a suffix is a domain or not is not at all easy (e.g., some countries have multi-level domains).
The final problem is that it's easy enough for the site to request some resource from another domain for real, and set the cookie that way. That's formally not a third-party cookie, as it is being set by the domain it references, but it works in effectively the same way.
Every cookie is set for a domain. You can compare domain names to identify 3rd party cookies. But maybe I did not fully grasp your question.
Based merely on list of cookies created so far in the browser, there is no way to say if a cookie is a third-party cookie.
I'm looking at using Amazon Cloudfront to distribute my JavaScript.
What I'm not clear on, however, is what happens to cookies if I do that. For example, if my site is example.com, and I'm including JavaScript from foo.cloudfront.net, does that JavaScript have access to cookies I set on example.com and visa versa? What's the best approach for cookie safety when you are serving your assets from another domain?
The javascript executes in the context of example.com, so no matter where it's served from will be able to access those cookies, and those cookies only. This encapsulation, which presumably is what you meant by cookie-safety, is enforced by the browser and shouldn't be something that you need worry about.
There might be third party cookies set in the distribution of the files (that depends on the distribution network, in this case Amazon's), although that won't be visible to the javascript, nor should it interest the javascript. If there are third party cookies set you should mention that in your privacy policy.
And to answer the question in the header; no, setting a cookie in code distributed from another domain does not count as third-party, since it executes under example.com, and will therefore only be able to set cookies under than domain.
Doesn't matter where the javascript code itself is hosted, what's important is the context in which it's running in - so the cookie will be correctly set to whatever host your main page is loading from...
I am trying to find a client-side way to determine if a page on a remote domain has changed.
I can't load the page in an iframe and examine its contents due to same origin policy.
So I tried using .getResponseHeader("Content-Length") and .getResponseHeader("Last-Modified") but apparently these are also restricted by SOP even though FireBug shows Content-Length in the console.
Is there a way to do this? I just need a way to know if the page has changed.
Thx
You can't do it completely client-side unless the other end supports CORS, or JSONP, or some other cross-origin mechanism for doing it. In the absense of that, your only options are:
Using server-side help
Using a signed script (which your users would have to grant permission to)
Using a signed Java applet (which your users would have to grant permission to)
Using an ActiveX control (which your users would have to grant permission to)
...you get the idea.