Why do browsers still allow Javascript to see cookies?

Question

I'm sure there's still plenty of sites out there that, for some inexplicable reason, use Javascript to manipulate cookies, but there's really no good reason to allow this in light of all the XSS that can occur. Why do browsers still allow this? Why not simply prevent JS from seeing cookies?

Answer 1

I must admit, this question is similar to saying "Why do browsers still support HTML, its old". Backwards compatability is a huge issue, and cutting off all existing javascript code that manipulates cookies would be disastrous.

That being said, there are also cases where javascript manipulation of cookies is usefull for cross site communication and whatnot.

Answer 2

This way you can set preferences directly in the cookies without making AJAX requests and save in the session / user_profile on the server side. This is useful for some UI preferences you want to keep when you revisited the website and on the server side its more easier because you don't need to register to see your preferences when your session has expired.

Answer 3

You can set httponly cookies from the server side, and javascript can't see those. That would give the effect you desire.

I sometimes rely on cookies for storing a tiny amount of client-side data from javascript, understanding that this is suboptimal in that the browser will send the cookie in every request to the server even though it's only being used on the client side.

Answer 4

And lets be clear; JavaScript manipulating cookies is totally reasonable and acceptable. It, by itself, doesn't create an XSS issue. A badly written site does.