3

I just did an audit of one of my web application page (built using ASP.Net and running on development server) using Google chrome's developer tool. One particular warning caught my eyes:

Serve static content from a cookieless domain (5)!

I would like to know is it possible to avoid cookies for these kind of requests. I see that there is no cookie requests for javascript files as well. I it possible to avoid cookies in the header for these files as well? and why didn't the browser attach cookies for javascript files and attach for CSS and image?

Community
  • 1
  • 1
Abdel Raoof Olakara
  • 19,223
  • 11
  • 88
  • 133

2 Answers2

2

Cookie are "attached" to a domain and a path. If you set cookies for a path above your files, they'll be sent with any request for those files.

The warning message itself tells you how to fix this - use another domain for your static content. Or a subdomain, as long as you make sure you keep your main domain cookieless in that case.

Matti Virkkunen
  • 63,558
  • 9
  • 127
  • 159
0

The easiest thing to do is to follow the exact suggestion in the warning message you pasted in (serve your static assets from a completely different hostname on which you don't set cookies). But in modern browsers you now also have the option of setting the crossorigin="anonymous" attribute on the relevant elements, which will prevent cookies from being sent for the matching requests. You will need to combine this with returning an access-control-allow-origin: YOUR-ORIGIN-HERE.com header in your static asset responses.

Ben Regenspan
  • 10,058
  • 2
  • 33
  • 44