tags:

views:

259

answers:

1
+3  Q: 

Strange Javascript/cross site cookies problem

I've got a PHP script running on domain B that, when called generates some JS.

The idea is that in a given html page I can have:

<script src="http://b.domain/myscript.php"&gt;&lt;/script&gt;

So when the page loads, the script is called and the JS is generated and run on the local page.

The problem is that myscript.php depends on B's domain cookies. If I type http://b.domain/myscript.php into my address bar, the script works fine, and I see the JS text in the browser window.

But when I include the quoted line above in a webpage running on a different webserver, call it A, it doesnt work. The JS is still generated, but is incorrect, as none of the cookies are available to the script.

So, in short, access the script directly, cookies are available, all is well. Access the script via a call from a page served from another domain and it doesnt have access to the cookies.

I dont understand why, in a call to a script running on the B domain, the browser doesnt seem to be sending B's cookies?

+1  A: 

This is a security feature. Cookie information is never made available to a domain other than the one that set the cookie. See: http://en.wikipedia.org/wiki/Cross-site_scripting for more info.

 2009-07-23 14:24:44
But the script that runs on B only needs B's cookies. No cookies are required to be sent to any domain other than that which set them.
Visage  2009-07-23 14:29:31
It doesn't matter which server the _script_ came from; the script can only operate with cookies from the domain the _page_ came from. Otherwise I could, for example, include a script hosted at Google Code on my site and, when you visited that page, my site could use the script to steal your Google cookie, giving me access to your GMail account.
NickFitz  2009-07-23 14:52:33
The script doesnt use cookies - only the serverside script that generates the client side JS to run on the original page.
Visage  2009-07-29 11:03:22

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript