0

I am unable to understand how iframes can access cross domain cookies. eg. i have 2 domains abc.com and xyz.com , i have the parent frame at abc which is calling an iframe from xyz, the the iframe from xyz has a code to read cookies(not http-only) and send it via postMessage response.

It is not clear to me if an iframe is loaded into the parent frame isn't it if the code calls document.cookie in the iframe(as it is currently loaded on my machine) would emit cookie on my machine and not the one stored on xyz.com

I was looking at the openid connect documentation and they do something like this.

The implementation is kind of described here : Accessing cookies of an iFrame in parent window

Sharad B
  • 1
  • 1
  • 2

1 Answers1

1

The only way an iframe from a different domain can read cookies from the first. That is if the domain that owns the cookies calls code that outputs those cookies in some way to the other domain.

This can be done if the cookie-owning-domain calls a function on the cookie-stealing-domain.

For example, if the cookie-stealing-domain defines a function named "reportCookies()", the cookie-owning-domain can call iframe.window.reportCookies(document.cookie) to send in the cookies. This is the basic approach of a XSS (cross-site scripting) attacks. It usually involves somehow getting code to directly run on the cookie-owning domain.

We actually used this technique on our site with two different (sub-)domains. We'd load up nested iframes that looked like this:

cookie-owning
  cookie-stealing
    cookie-owning

We'd then have the innermost domain call a function from the cookie-stealing to share some cookies (for legitimate purposes).

samanime
  • 25,408
  • 15
  • 90
  • 139
  • There is no such thing as a cookie stored on a server. All cookies are client-side. There may be data stored in a database or some kind of session, but that is application specific. – samanime Jun 12 '18 at 22:05