1

If I have several cookies set in my browser for example1.com, and I make a request to example1.com from example2.com, will the cookies that are set for example2.com be included in that request?

temporary_user_name
  • 35,956
  • 47
  • 141
  • 220

1 Answers1

4

Cookies are always depending on the current domain.
There is no way that example2.com can read in any kind the cookie for domain example1.com.

The only way cookies can be shared is that both domains have the same main-domain, so that they look like this:

  • sub1.example.com
  • sub2.example.com

or like this:

  • example.com
  • sub2.example.com

The cookie-domain has to be adjusted in all domains to allow one cookie for main- and sub-domain or for several subdomains.

Nevertheless forms, links or scripts can request or send some information without requirement for cookies, if some conditions are given by CSP (see below).

This doesn't mean that interaction between Domains is prohibited if they never share the same main-domain, but with CSP (content security policies) you've influence how much interaction on your website is allowed.
CSPs are useful rules, but they are dumb, so far that you can either allow or forbid script-access for another domain on your site (google-analytics, facebook, etc.). There is no possibility to create rules what a script is allowed to do.

Furthermore any direct interaction by forms or links is not or only partially covered by CSPs. So for some things it might work to send a form just to another domain than the current domain, perhaps depending on some APIs for web-services, i.e. OAuth, then the CSP has to be adjusted accordingly.

If you search a way to exchange information between domains you still have the option to exchange information on server-side. So the server of example1.com can contact the server example2.com by a separated request, the Website-user can't remark those things. If I think about facebook, I'd consider that as dirty trick, but I know the purposes are not always negative and technical it's just an option which could be helpful for some problems. A possible solution for server-interaction are cUrl-requests.

One more option about CSPs is that you can allow iframes (other kind of frames never exist anymore in HTML5). So you still can include an iframe from domain example2.com in the site of example1.com if the CSP is adjusted accordingly.

EDIT:
In some cases it's advised to use a subdomain for files, so that the files are always delivered without any cookie and only the html-pages are delivered with cookie. In general it would be possible to deliver the files without cookie on the same domain too perhaps but with sub-domain it might be easier. Sending files like images, javascript-files and css-files without cookies makes the site faster, and cookies are useless anyway for requests of static files. Note that some files like images or css might be created dynamically on the server and are not static then, cookies could be desired for those files.

Still about your question:
If a cookie-domain is set to cover main-domain and/or several subdomains, then these domains will share the same cookie. There won't exist several cookies but only one.

David
  • 5,882
  • 3
  • 33
  • 44
  • 1
    Giving you the bounty anyway, but please note I made a mistake in my question and have since edited it. I had the domains backwards. You might want to update your answer accordingly. – temporary_user_name May 05 '19 at 00:20
  • 1
    The case is described: cookies will be only included to the same or the cookie-domain which must be at least the same main-domain. – David May 05 '19 at 04:22