Please, I would like to set cookies for my browser by my script running at my domain.. but I want to set cookies from another domain.
For example, I would like to set cookies that twitter.com sends me (when I would visit by browser), but I don't want to visit their page for the first time. Only when I visit their page after running my script, I want that their cookie is already set. Is it possible at all?
I thought, that changing the domain variable for document.cookie is doing the trick, but it doesn't work.. the twitter doesn't see any cookie being set.
No you can't obviously. Being able to control cookies from domains other than the one your website/webapplication runs on, would be a tremendous security risk. Because being able to set, would also mean being able to read.
You can, but it requires some hacks and can't be done in javascript alone.
Open up firefox and grab your "auth_token" cookie from twitter.com
If you have access to a web server and can config it to accept all host headers.
Makeup a fake subdomain and add it to your hosts file like:
127.0.0.1 xxxxxxx.twitter.com
from that server set a cookie named "auth_token" with *.twitter.com as the domain.
This would work for twitter because their auth_cookie is set to expire in 20 years.
Related
It may be easy, but I never worked with cookies and the issue confuses me a little.
So let's say I have a script. It is uploaded to remote CDN.
I am using it by getting it in
<script src=http://link-to-script.com/script.js></script>.
Then, I load html code with those tags and run in on localhost so it gets the script from CDN.
Now, I use some of the script's function that sets a cookie within it with document.cookie. In this part I would like to have the cookie not be set on a localhost domain(which is a case right now), but on a domain that the script was served from(CDN). I want to have 3rd party cookie instead of 1st party.
What is the best possible way to do that? Could you please point me to right direction?
Hey you can refer Can a 3rd party js script write cookies?
To write third-party cookies (i.e. where the cookie is on the domain of the third party) requires that the cookies be sent in the headers of a download from that third party, and not written by JS code.
Write below code in request headers, MDN reference link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
Set-Cookie: <cookie-name>=<cookie-value>
You can only set cookie for current domain and it's sub-domains.
For-Example:
You can create cookie for a.mydomain.com , b.mydomain.com, c.mydomain.com from mydomain.com.
You can't create cookie for mydomain.com from anotherdomain.com.
Cross-Domain Cookies
But if you want to create cookie for another domain, You need to redirect to that particular URL and create cookie from that site.
OR
If you want to create cookie for another domain, you can try this,
<img src='http://www.anotherdomain.com/createCookie.php'>
Suppose I run bar.com. When a user visits bar.com, various 3rd party cookies are loaded: google analytics, facebook etc. As the admin of bar.com, I want to keep a list of 3rd party cookies being loaded on that site. Is there a way to do this through javascript? Something like document.cookie only gives me the cookie for bar.com.
JavaScript, running in the context of the page, only has access to cookies belonging to that domain.
There is no mechanism to access cookies from other domains, and security restrictions are put in place to prevent access when there might be a possibility (e.g. you can't read a Set-Cookie response header from a response to a fetch request because it is defined as a forbidden header in the CORS spec).
You need to use some other mechanism to find out about third-party cookies such as the developer tools or a browser extension.
One way, if you are able to use chrome, devtools allows you to view cookies set one each relevant domain.
https://developers.google.com/web/tools/chrome-devtools/storage/cookies#open (note example in link only shows a case where one domain is in use)
Important to note that different cookies may be set on different visits though
I highly recommend the chrome extension "EditThisCookie" which allows you to not only view each cookie but their values and various properties in depth:
https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg?hl=en
I have a small js script and some clients, which use it. A few days ago a client came to me with the site on 2 differnet domains. My script store some data in cookies. When users within single site go to another domain - i can't access this cookie. I'm looking for a solution and come to a standstill. I have a server that hosts this script and i read that if site load script from my server - i can set cookie on my server domain. It's true? For example - if i go to vk.com i can open dev tools and see cookies on domains .scorecardresearch.com and .tns-counter.ru.
How can i do something like this?
No, you can't access windows/properties from different domains. Otherwise have a look at CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
I am creating a bookmarklet that is to be used across a wide range of domains. I wanted to set some cookies to store temporary settings for this bookmarklet, so I assumed that setting a cookie from this script would assign the cookie to the domain of the script's origin.
This was not the case, the bookmarklet is able to assign cookies to the domain of the current site being viewed. This is not suitable for my needs (this would remember settings per domain, rather than for the bookmarklet across all domains).
My question is, is this somehow breaking the cross domain policy? And a follow up question, how can I store cookies for the bookmarklet rather than the correct domain it is used on.
Bookmarklets are running in the context of the current page so that is the security context they run in and thus this doesn't break cross domain policy. You can only set cookies on the current page's domain. Because of this your bookmarklet can't have it's own cookies.
This is the same as scripts that are loaded into a given page from a variety of domains. The origin of the page is what matters, not the origin of the script.
The only way I know of for you to save settings once for your script across all domains would be to use cross domain JSONP and store the settings on your server, but you still may have difficulty identifying a unique user.
It sounds like what you're trying to do would be much more suited to a browser plug-in which has local storage for the plug-in.
It does not break cross domain policy, since it is in fact run on a separate domain (that's the point behind a bookmarklet).
If you want to store cookie information, either make use of a 3rd party service (as in, have your own server with code that accepts cookie changes).
Note that this can be a security issue since every domain would be able to get cookies for your user, unless you make your service write-only (which I doubt).
Then there's another alternative - don't save settings in a cookie. Use a different storage medium instead.
Per cookie specification this is not allowed (same principle as Same Origin Policy for ajax calls). As far as SOP is concerned, it does not apply, when you are running your javascript from file:/// (for example inside of a UIWebView). This is well documented and working in my example too. What about cookies though?
I have an app that makes a request to a server via javascript running, for all intends and purposes, locally (file:///). The authentication request sets a cookie with name let's say 'alpha', path: '/' and domain 'serverdomain.com'. During logout I need to clear the aforementioned cookie but I get the feeling that my attempts fail because I don't have access to it because it is considered to be from a different domain. Does that sound familiar? Or am I way off here? Is there a way to accomplish such a feat?
EXAMPLE
I am running my javascript on Chrome (using file:/// as the URI). I initiate a login and soon enough I can see the following cookie in the cookie manager plugin (this is not the actual cookie but it looks the same except for the name which we can say it is 'alpha'). The cookie is not marked http only but it has the 'session' and 'secure' checkboxes checked (unlike the screenshot below).
Now keep in mind that if I use the 'inspect element' feature of Chrome and go to 'Cookies', I get a 'There are no cookies for this site'.
During logoff I need to delete that cookie. So I do this in javascript:
document.cookie="alpha=; expires=Thu, 10 May 2000 15:07:07 GMT"
The cookie does not go away. The only way I can make it go away is by deleting it from the cookie manager. Should I be able to delete this cookie (while running from file:///)? If so how?
If the cookie was created on a different domain, this cookie won't be sent by the client to the server on the second domain, so you cannot remove it. You can set a cookie with the same name on this domain but that won't be the same cookie as the one that exists on the first domain.