Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
K
K
KaminskyIlya2019-10-28 07:18:17
JavaScript
KaminskyIlya, 2019-10-28 07:18:17

Why is a third party script accessing the cookie?

A third-party 3dparty.js script from the www.test2.ru domain tries to access a cookie from the ww.test1.ru domain. This script is executed in the context of the www.test1.ru page.
There is a test page from the www.test1.ru domain:

<html>
<head>
  <script>
    var h = window.location.host;
    document.cookie = 'Victim=Vulnerable; domain='+h+'; path=/; max-age=3600; samesite=strict';		
  </script>
</head>
<body>
  Hello world!
  <script src="http://www.test2.ru/3dparty.js" defer></script>
</body>
</html>

There is a 3dparty.js script downloaded from a third-party domain www.test2.ru:
console.log( 'Cookie from foreign domain: ' + document.cookie );

var script = document.createElement('script');
script.innerHTML = 'console.log( "Cookie from victim domain: " + document.cookie )';
document.body.appendChild( script );

When executed, the following is displayed in the console:
Cookie from foreign domain: Victim=Vulnerable
Cookie from victim domain: Victim=Vulnerable

I expected that at least the output of the first line would be: Cookie from foreign domain: undefined.
How can I block the access of the 3dparty.js script for cookies from the www.test1.ru domain here?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
D
dollar, 2019-10-28
@dollar

Run on a different domain in an iframe. Then it will be a window to another page. Like a browser within a browser. And your page will not know that inside the iframe, no matter what it shows, it will only know the sizes and the address. And the iframe itself, accordingly, will not know what is there in the external page.
And just when you connect the script, it has full access to everything, like a native. And here it makes no sense to put spokes in the wheels. If you disable cookies, then in theory the script will still be able to read them if they are somehow reflected on the page. For example, the page has a "Hello %username%" test, and the script has access to the DOM so it can parse the name and other variables. It makes more sense to split on an all-or-nothing basis or a hard-coded API.

Similar questions
T
Timofey2015-04-01 11:13:34
sails.js impressions? 5Reply
T
The Dragger2015-04-03 11:25:21
Which image upload for Yii would you recommend? 4Reply
E
Evgeny Zhurov2017-04-05 17:19:26
How to get select value changed in real time? 2Reply
C
Cesar12021-03-30 16:55:48
How to change the color at the intersection of objects? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question