StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POCan browsers react to Set-Cookie specified in headers in an XSS jquery.getJSON() request?
text
Body
copied!<p><i>(Note: This is a follow up to my question <a href="https://stackoverflow.com/questions/4262636/can-jquery-getjson-put-a-domains-cookies-in-the-header-of-the-request-it-makes">Can jQuery.getJSON put a domain's cookies in the header of the request it makes?</a> and covers the XSS case of <a href="https://stackoverflow.com/questions/3431906/setting-a-cookie-in-an-ajax-request">Setting a cookie in an AJAX request?</a>)</i></p> <p>I've been told I'm unable to set cookies to be read by other domains that are not subdomains of the current domain using <code>$.cookie(..., ..., {domain: ...})</code>. But in a comment on a response to my last question, @zanlok said "The server's reply, however, can definitely set a cookie" and it got two upvotes.</p> <p>So I thought I'd try using a service which was created for the explicit purpose of setting cookies called <a href="http://www.freebase.com/view/en/api_service_touch" rel="nofollow noreferrer">Freebase's "touch" API</a>. The call looks like:</p> <pre><code>$.getJSON("http://api.sandbox-freebase.com/api/service/touch", {}, // URL parameters afterCookieIsSetCallback); // Callback function </code></pre> <p>Looking in FireBug at the response header it's like this:</p> <pre><code>Date Wed, 24 Nov 2010 03:35:28 GMT Server Apache X-Metaweb-Cost [...] Etag [...] Expires Wed, 24 Nov 2010 03:35:29 GMT Cache-Control no-store Vary Accept-Encoding Content-Encoding gzip Set-Cookie mwLastWriteTime=1290569730|10325_9202a8c04000641f80000000199eff96|sandbox; expires=Thu, 25-Nov-2010 03:35:28 GMT; Path=/ Last-Modified Wed, 24 Nov 2010 03:35:28 GMT Content-Length 134 Content-Type text/plain; charset=utf-8 X-Cache MISS from cache01.sandbox.sjc1.metaweb.com Connection keep-alive X-Metaweb-TID cache;cache01.sandbox.sjc1:8101;2010-11-24T03:35:28Z;0001 </code></pre> <p>So there's definitely a Set-Cookie in there, and the script runs the response handler. Yet the cookie is not present in the request headers for later JSON requests this script makes to <code>.sandbox-freebase.com</code>.</p> <p>(By contrast, simply typing the touch api URL into the address bar and loading it that way does set the cookie for future requests. That applies even in other tabs.)</p> <p>This seems to be a deviation from a prior "expected behavior", because there was a toolkit published by MetaWeb circa "2007-2009" which seemed to think such an approach could work:</p> <p><a href="http://www.google.com/codesearch/p?hl=en#v099O4eZ5cA/trunk/src/freebase/api.js&q=touch%20package:http://mjt%5C.googlecode%5C.com&l=340" rel="nofollow noreferrer">http://www.google.com/codesearch/p?hl=en#v099O4eZ5cA/trunk/src/freebase/api.js&q=touch%20package:http://mjt%5C.googlecode%5C.com&l=340</a></p> <p>Without knowing much about it, I'm wondering if it was a recent change that Firefox adopted and then WebKit followed suit. Perhaps the one mentioned here:</p> <p><a href="http://trac.webkit.org/browser/trunk/WebCore/xml/XMLHttpRequest.cpp#L856" rel="nofollow noreferrer">http://trac.webkit.org/browser/trunk/WebCore/xml/XMLHttpRequest.cpp#L856</a></p> <p>So is there any canonical documentation on this particular issue?</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload