If I have a site (e.g. foo.com) and on the home page of foo.com, there is a image request where the src=bar.com..., will the cookies on the bar.com domain be sent to the bar.com servers?
如果我有一个网站(例如foo.com)并且在foo.com的主页上有一个图像请求,其中src = bar.com ...,bar.com域上的cookie将被发送到bar.com服务器?
Thanks!
4 个解决方案
#1
Yes. HTTP doesn't distinguish between one kind of resource or another (image vs html).
是。 HTTP不区分一种资源或另一种资源(图像与html)。
#2
The cookie will typically be included in any type of request, but the scenario you describe is what's known as a third-party cookie (that is, the cookie is set on a domain that is different than the domain of the loaded page) and most browsers offer a privacy setting to block third-party cookies.
cookie通常包含在任何类型的请求中,但您描述的场景是所谓的第三方cookie(即,cookie是在与加载页面的域不同的域上设置的),并且大多数浏览器提供隐私设置来阻止第三方cookie。
A third-party cookie allows the owners of bar.com to place an image (say a banner ad) on foo.com and track the users of foo.com even though those users have never visited bar.com. This is a privacy concern and many users elect to block such cookies.
第三方cookie允许bar.com的所有者在foo.com上放置图像(例如横幅广告)并跟踪foo.com的用户,即使这些用户从未访问过bar.com。这是一个隐私问题,许多用户选择阻止此类cookie。
#3
If third-party-cookies are not blocked by the user then most modern browsers will set or send cookies of the third party domain when a request is made to the third party web site. IE 6 has a different kind of blocking mechanism called leashing. wiki: A leashed cookie is a third-party cookie that is sent by the browser only when accessing a third-party document via the same first-party.
如果第三方cookie未被用户阻止,则当向第三方网站发出请求时,大多数现代浏览器将设置或发送第三方域的cookie。 IE 6有一种不同类型的阻塞机制叫做leashing。 wiki:带钩的cookie是第三方cookie,只有在通过同一第一方访问第三方文档时才由浏览器发送。
#4
Yes cookies are sent on all requests. This includes "img" and "script" as well as XMLHttpRquest calls from javascript and can be a security issue on script tags as scripts loaded by one website can load scripts from another site and will send their authentication cookies too. This can be exploited to steal data.
是的,所有请求都会发送cookie。这包括“img”和“script”以及来自javascript的XMLHttpRquest调用,并且可能是脚本标记的安全问题,因为一个网站加载的脚本可以从另一个站点加载脚本并且也将发送其身份验证cookie。这可以被利用来窃取数据。
#1
Yes. HTTP doesn't distinguish between one kind of resource or another (image vs html).
是。 HTTP不区分一种资源或另一种资源(图像与html)。
#2
The cookie will typically be included in any type of request, but the scenario you describe is what's known as a third-party cookie (that is, the cookie is set on a domain that is different than the domain of the loaded page) and most browsers offer a privacy setting to block third-party cookies.
cookie通常包含在任何类型的请求中,但您描述的场景是所谓的第三方cookie(即,cookie是在与加载页面的域不同的域上设置的),并且大多数浏览器提供隐私设置来阻止第三方cookie。
A third-party cookie allows the owners of bar.com to place an image (say a banner ad) on foo.com and track the users of foo.com even though those users have never visited bar.com. This is a privacy concern and many users elect to block such cookies.
第三方cookie允许bar.com的所有者在foo.com上放置图像(例如横幅广告)并跟踪foo.com的用户,即使这些用户从未访问过bar.com。这是一个隐私问题,许多用户选择阻止此类cookie。
#3
If third-party-cookies are not blocked by the user then most modern browsers will set or send cookies of the third party domain when a request is made to the third party web site. IE 6 has a different kind of blocking mechanism called leashing. wiki: A leashed cookie is a third-party cookie that is sent by the browser only when accessing a third-party document via the same first-party.
如果第三方cookie未被用户阻止,则当向第三方网站发出请求时,大多数现代浏览器将设置或发送第三方域的cookie。 IE 6有一种不同类型的阻塞机制叫做leashing。 wiki:带钩的cookie是第三方cookie,只有在通过同一第一方访问第三方文档时才由浏览器发送。
#4
Yes cookies are sent on all requests. This includes "img" and "script" as well as XMLHttpRquest calls from javascript and can be a security issue on script tags as scripts loaded by one website can load scripts from another site and will send their authentication cookies too. This can be exploited to steal data.
是的,所有请求都会发送cookie。这包括“img”和“script”以及来自javascript的XMLHttpRquest调用,并且可能是脚本标记的安全问题,因为一个网站加载的脚本可以从另一个站点加载脚本并且也将发送其身份验证cookie。这可以被利用来窃取数据。