Are cookies sent with image requests?

Question

Hi,

If I have a site (e.g. foo.com) and on the home page of foo.com, there is a image request where the src=bar.com..., will the cookies on the bar.com domain be sent to the bar.com servers?

Thanks!

Answer 1

Yes. HTTP doesn't distinguish between one kind of resource or another (image vs html).

Answer 2

The cookie will typically be included in any type of request, but the scenario you describe is what's known as a third-party cookie (that is, the cookie is set on a domain that is different than the domain of the loaded page) and most browsers offer a privacy setting to block third-party cookies.

A third-party cookie allows the owners of bar.com to place an image (say a banner ad) on foo.com and track the users of foo.com even though those users have never visited bar.com. This is a privacy concern and many users elect to block such cookies.

Answer 3

Yes cookies are sent on all requests. This includes "img" and "script" as well as XMLHttpRquest calls from javascript and can be a security issue on script tags as scripts loaded by one website can load scripts from another site and will send their authentication cookies too. This can be exploited to steal data.

Answer 4

If third-party-cookies are not blocked by the user then most modern browsers will set or send cookies of the third party domain when a request is made to the third party web site. IE 6 has a different kind of blocking mechanism called leashing. wiki: A leashed cookie is a third-party cookie that is sent by the browser only when accessing a third-party document via the same first-party.