当在 cdn(或其他)托管的 javascript 文件中设置 cookie 时,cookie 域设置为什么?
给定一个网站托管另一个网站的“小部件”,该小部件不在 iframe 中,而只是 js dom 操作和通过 jsonp 连接馈送的内容。如果为小部件提供服务的 js 文件写入了 javascript cookie,则该 cookie 是否会标记为托管小部件 js 文件的域或正在显示小部件的域(例如,托管包含以下内容的 html 文件的域):小部件 js 文件)?
Given one website hosting a "widget" of another website, where that widget is not in an iframe but simply js dom manipulation and content fed through a jsonp connection. If the js file that serves the widget writes a javascript cookie will that cookie be marked with the domain that is hosting the widget js file or the domain that the widget is being displayed on (eg the domain that is hosting the html file that is including the widget js file)?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
它是用户 HTTP 请求的域(或者在您的示例中是 HTML 文件)。
原因如下:假设您正在 http://www.blackhat.com/test.html并在该页面上包含此文件 http://www.facebook.com/cookielib.js。
这并不赋予您使用该 JS 文件读取或写入 Facebook cookie 的权利,那将是可怕的。用户代理将地址栏中的域视为执行上下文,所有 cookie 的读写都发生在该域上。
It's the domain of the user's HTTP request (or the HTML file, in your example).
Here's why: imagine you’re on http://www.blackhat.com/test.html and include this file on that page http://www.facebook.com/cookielib.js.
This does not give you the right to read or write Facebook cookies with that JS file, that would be terrible. The user agent considers the domain in the address bar as the execution context, and all reading and writing of cookies happens on that domain.