Cross-Domain Cookies

by

Cross-domain cookies are not allowed (i.e. site A cannot set a cookie on site B).

But once a cookie is set by site A, you can send that cookie even in requests from site B to site A (i.e. cross-domain requests):

XMLHttpRequest from a different domain cannot set cookie values for their own domain unless withCredentials is set to true before making the request. The third-party cookies obtained by setting withCredentials to true will still honor same-origin policy and hence can not be accessed by the requesting script through document.cookie or from response headers.

Make sure to do these things:

  1. When setting the cookie in a response
    • The Set-Cookie response header includes SameSite=None if the requests are cross-site (note a request from www.web.dev to static.web.dev is actually a same-site request, and can use SameSite=Strict)
    • The Set-Cookie response header should include the Secure attribute if served over HTTPS; as seen here and here
  2. When sending/receiving the cookie:
    • The request is made with withCredentials: true, as mentioned in other answers here and here, including the original request whose response sets the cookie set in the first place
      • For the fetch API, this attribute is credentials: 'include', vs withCredentials: true
      • For jQuery’s ajax method, note you may need to supply argument crossDomain: true
    • The server response includes cross-origin headers like Access-Control-Allow-Origin, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, and Access-Control-Allow-Methods
      • As @nabrown points out: “Note that the “Access-Control-Allow-Origin” cannot be the wildcard (*) value if you use the withCredentials: true” (see @nabrown’s comment which explains one workaround for this.
  3. In general:
    • Your browser hasn’t disabled 3rd-party cookies. (* see below)

Things that you don’t need (just use the above):

  1. domain attribute in the Set-Cookie; you can choose a root domain (i.e. a.example.com can set a cookie with a domain value of example.com, but it’s not necessary; the cookie will still be sent to a.example.com, even if sent from b.other-site.com
  2. For the cookie to be visible in Chrome Dev Tools, “Application” tab; if the value of cookie HttpOnly attribute is true, Chrome won’t show you the cookie value in the Application tab (it should show the cookie value when set in the initial request, and sent in subsequent responses where withCredentials: true)

Let’s clarify a “domain” vs a “site”; a quick reminder of “anatomy of a URL” helps me. In this URL https://example.com:8888/examples/index.html, remember these main parts (got from this paper):

  • the “protocol”: https://
  • the “hostname/host”: example.com
  • the “port”: 8888
  • the “path”:/examples/index.html.

Notice the difference between “path” and “site” for Cookie purposes. “path” is not security-related; “site” is security-related:

path

Servers can set a Path attribute in the Set-Cookie, but it doesn’t seem security related:

Note that path was intended for performance, not security. Web pages having the same origin still can access cookie via document.cookie even though the paths are mismatched.

site

The SameSite attribute, according to web.dev article, can restrict or allow cross-site cookies; but what is a “site”?

It’s helpful to understand exactly what ‘site’ means here. The site is the combination of the domain suffix and the part of the domain just before it. For example, the www.web.dev domain is part of the web.dev site…

This means a request to static.web.dev from www.web.dev , is a sameSite request.

The public suffix list defines this, so
it’s not just top-level domains like .com but also includes services
like github.io

This means a request to your-project.github.io from my-project.github.io , is a a cross-site request.

This means what’s to the left of the public suffix; is the subdomain (but the subdomain is a part of the host; see the BONUS reply in this answer)

  • www is the subdomain in www.web.dev; same site as static.web.dev
  • your-project is the domain in your-project.github.io; separate site as my-project.github.io

In this URL https://www.example.com:8888/examples/index.html, remember these parts:

  • the “protocol”: https://
  • the “hostname” aka “host”: example.com
  • (in cases like “en.wikipedia.org”, the entire “en.example.com” is also a hostname)
  • the “port”: 8888
  • the “site”: example.com
  • the “domain”: example.com
  • the “subdomain”: www
  • the “path”: /examples/index.html

Useful links:

  • https://web.dev/samesite-cookies-explained/
  • https://jisajournal.springeropen.com/articles/10.1186/1869-0238-4-13
  • https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03
  • https://inst.eecs.berkeley.edu/~cs261/fa17/scribe/web-security-1.pdf
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

(Be careful; I was testing my feature in Chrome Incognito tab; according to my chrome://settings/cookies; my settings were “Block third party cookies in Incognito”, so I can’t test Cross-site cookies in Incognito.)

a browser is open to the URL chrome://settings/cookies, which shows that "Block third-party cookies in Incognito" setting is set, choose a setting in your browser that will allow third-party cookies

Leave a Comment