Is a javascript bookmarklet that can set domain cookies breaking cross-domain security?

2
votes

I am creating a bookmarklet that is to be used across a wide range of domains. I wanted to set some cookies to store temporary settings for this bookmarklet, so I assumed that setting a cookie from this script would assign the cookie to the domain of the script's origin.

This was not the case, the bookmarklet is able to assign cookies to the domain of the current site being viewed. This is not suitable for my needs (this would remember settings per domain, rather than for the bookmarklet across all domains).

My question is, is this somehow breaking the cross domain policy? And a follow up question, how can I store cookies for the bookmarklet rather than the correct domain it is used on.

2
javascriptsecuritycookiescross-domainbookmarklet
Bookmarklets are assumed to be running with the blessing of the user who's installed them.Pointy

2 Answers

3
votes

Bookmarklets are running in the context of the current page so that is the security context they run in and thus this doesn't break cross domain policy. You can only set cookies on the current page's domain. Because of this your bookmarklet can't have it's own cookies.

This is the same as scripts that are loaded into a given page from a variety of domains. The origin of the page is what matters, not the origin of the script.

The only way I know of for you to save settings once for your script across all domains would be to use cross domain JSONP and store the settings on your server, but you still may have difficulty identifying a unique user.

It sounds like what you're trying to do would be much more suited to a browser plug-in which has local storage for the plug-in.

0
votes

It does not break cross domain policy, since it is in fact run on a separate domain (that's the point behind a bookmarklet).

If you want to store cookie information, either make use of a 3rd party service (as in, have your own server with code that accepts cookie changes). Note that this can be a security issue since every domain would be able to get cookies for your user, unless you make your service write-only (which I doubt).

Then there's another alternative - don't save settings in a cookie. Use a different storage medium instead.