I have a small js script and some clients, which use it. A few days ago a client came to me with the site on 2 differnet domains. My script store some data in cookies. When users within single site go to another domain - i can't access this cookie. I'm looking for a solution and come to a standstill. I have a server that hosts this script and i read that if site load script from my server - i can set cookie on my server domain. It's true? For example - if i go to vk.com i can open dev tools and see cookies on domains .scorecardresearch.com and .tns-counter.ru.
How can i do something like this?
No, you can't access windows/properties from different domains. Otherwise have a look at CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
Related
It may be easy, but I never worked with cookies and the issue confuses me a little.
So let's say I have a script. It is uploaded to remote CDN.
I am using it by getting it in
<script src=http://link-to-script.com/script.js></script>.
Then, I load html code with those tags and run in on localhost so it gets the script from CDN.
Now, I use some of the script's function that sets a cookie within it with document.cookie. In this part I would like to have the cookie not be set on a localhost domain(which is a case right now), but on a domain that the script was served from(CDN). I want to have 3rd party cookie instead of 1st party.
What is the best possible way to do that? Could you please point me to right direction?
Hey you can refer Can a 3rd party js script write cookies?
To write third-party cookies (i.e. where the cookie is on the domain of the third party) requires that the cookies be sent in the headers of a download from that third party, and not written by JS code.
Write below code in request headers, MDN reference link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
Set-Cookie: <cookie-name>=<cookie-value>
You can only set cookie for current domain and it's sub-domains.
For-Example:
You can create cookie for a.mydomain.com , b.mydomain.com, c.mydomain.com from mydomain.com.
You can't create cookie for mydomain.com from anotherdomain.com.
Cross-Domain Cookies
But if you want to create cookie for another domain, You need to redirect to that particular URL and create cookie from that site.
OR
If you want to create cookie for another domain, you can try this,
<img src='http://www.anotherdomain.com/createCookie.php'>
Suppose I run bar.com. When a user visits bar.com, various 3rd party cookies are loaded: google analytics, facebook etc. As the admin of bar.com, I want to keep a list of 3rd party cookies being loaded on that site. Is there a way to do this through javascript? Something like document.cookie only gives me the cookie for bar.com.
JavaScript, running in the context of the page, only has access to cookies belonging to that domain.
There is no mechanism to access cookies from other domains, and security restrictions are put in place to prevent access when there might be a possibility (e.g. you can't read a Set-Cookie response header from a response to a fetch request because it is defined as a forbidden header in the CORS spec).
You need to use some other mechanism to find out about third-party cookies such as the developer tools or a browser extension.
One way, if you are able to use chrome, devtools allows you to view cookies set one each relevant domain.
https://developers.google.com/web/tools/chrome-devtools/storage/cookies#open (note example in link only shows a case where one domain is in use)
Important to note that different cookies may be set on different visits though
I highly recommend the chrome extension "EditThisCookie" which allows you to not only view each cookie but their values and various properties in depth:
https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg?hl=en
I use electron 0.36.0 and I have a cookie for a page and this page has a nested frame with a different domain.
I need to somehow keep a cookie alive when going to this frame directly (different domain) and ideally, I want to avoid upgrades of electron (otherwise I would have to rewrite my code).
What's an ideal solution for my situation (it can be also a small workaround)?
Thank you!
Cookies can now be shared with different domains so you will have to find a different way of doing what your trying to do.
For cross domain cookies alcuadrado has described a work around to do this in his post like below:
centralize all cookies in a single domain, let's say cookiemaker.com
when the user makes a request to example.com you redirect him to cookiemaker.com
cookiemaker.com redirects him back to example.com with the information you need
check this answer and this.
I am creating a bookmarklet that is to be used across a wide range of domains. I wanted to set some cookies to store temporary settings for this bookmarklet, so I assumed that setting a cookie from this script would assign the cookie to the domain of the script's origin.
This was not the case, the bookmarklet is able to assign cookies to the domain of the current site being viewed. This is not suitable for my needs (this would remember settings per domain, rather than for the bookmarklet across all domains).
My question is, is this somehow breaking the cross domain policy? And a follow up question, how can I store cookies for the bookmarklet rather than the correct domain it is used on.
Bookmarklets are running in the context of the current page so that is the security context they run in and thus this doesn't break cross domain policy. You can only set cookies on the current page's domain. Because of this your bookmarklet can't have it's own cookies.
This is the same as scripts that are loaded into a given page from a variety of domains. The origin of the page is what matters, not the origin of the script.
The only way I know of for you to save settings once for your script across all domains would be to use cross domain JSONP and store the settings on your server, but you still may have difficulty identifying a unique user.
It sounds like what you're trying to do would be much more suited to a browser plug-in which has local storage for the plug-in.
It does not break cross domain policy, since it is in fact run on a separate domain (that's the point behind a bookmarklet).
If you want to store cookie information, either make use of a 3rd party service (as in, have your own server with code that accepts cookie changes).
Note that this can be a security issue since every domain would be able to get cookies for your user, unless you make your service write-only (which I doubt).
Then there's another alternative - don't save settings in a cookie. Use a different storage medium instead.
Please, I would like to set cookies for my browser by my script running at my domain.. but I want to set cookies from another domain.
For example, I would like to set cookies that twitter.com sends me (when I would visit by browser), but I don't want to visit their page for the first time. Only when I visit their page after running my script, I want that their cookie is already set. Is it possible at all?
I thought, that changing the domain variable for document.cookie is doing the trick, but it doesn't work.. the twitter doesn't see any cookie being set.
No you can't obviously. Being able to control cookies from domains other than the one your website/webapplication runs on, would be a tremendous security risk. Because being able to set, would also mean being able to read.
You can, but it requires some hacks and can't be done in javascript alone.
Open up firefox and grab your "auth_token" cookie from twitter.com
If you have access to a web server and can config it to accept all host headers.
Makeup a fake subdomain and add it to your hosts file like:
127.0.0.1 xxxxxxx.twitter.com
from that server set a cookie named "auth_token" with *.twitter.com as the domain.
This would work for twitter because their auth_cookie is set to expire in 20 years.