Can I read/access/listen to cookies from other domain where I am being put inside an iframe?

Question

I've a cross site cookie question as in if I can read/access/listen to the cookie from parent or top window ?

Let's say my page is 1234.com and I am being put into nested iframes inside series of domains like abc.com > def.com and finally being rendered onto xyz.com

I know I can't set cookie on the top page (xyz.com) from 1234.com due to cross domain restrictions, but is there any way I can read or access or listen to the cookie and make a synonymous copy within my website ?

Example: Let's say an user, MALE (25-30yrs) from Chiacgo (with cookie_id=male25) is reading the page xyz.com, where inside an Iframe my page 1234.com is loaded too. Now I know 1234.com can set cookies only on the iframe and therefore, what I am trying to achieve here that -

1234.com is able to read/listen to the cookies of xyz.com (cookie_id=male25) and when it will write the cookie on iframe (cookie_id=1234) is able to write exact copy of the parent cookie or match it in a way so that I can use 1234 cookie on my end to target the same matching user with cookie_id=male25.

I was thinking techniques like iframe Busting in case it helps to burst the iframe opening my 1234.com an unhindered access to the window.top that will allow me to read/access/listen and write my own cookie.

Do you think if anything is possible like this? Even though I want to learn if its possible in a ethical/non-ethical way if this ever possible at all.

Also as a publisher how can we prevent this to happen on our page?

Answer 1

Absolutely Not.

For security reasons, you can and never will be able to read cookies that are not from your domain.

Think about the consequences it would have if you could: people logging in on your website through some OAuth service for instance, would basically "lose" all the cookie data to your website's JavaScript context since your website happens to include some iframe/image/script from another domain. It would be able to read all cookie values and copy a login session for instance, which might be stored in it.

If both domains are wanting to coordinate the exchange of the data as you described, I would suggest looking into Window.postMessage. PostMessage allows a page to securely send messages to its parent or opener, and then allows the receiver to accept or reject those messages by inspecting the origin of the message.

In your example the outer-frame could broadcast a postMessage containing the demographic information of the currentUser to any iframes contained within it, and those iframes could register a listener to receive that information.