Home/ Questions/Q 3405348
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T05:29:40+00:00

(Note: See also the related question Can browsers react to Set-Cookie specified in headers

  • 0

(Note: See also the related question Can browsers react to Set-Cookie specified in headers in an XSS jquery.getJSON() request?)

I can’t seem to set a cookie (whose name is mwLastWriteTime) in the request header of a JSON operation. The request itself is a simple one from the Freebase MQL tutorials, and it is working fine otherwise:

// Invoke mqlread and call the function below when it is done.
// Adding callback=? to the URL makes jQuery do JSONP instead of XHR.
jQuery.getJSON("http://api.sandbox-freebase.com/api/service/mqlread?callback=?",
{query: JSON.stringify(envelope)},   // URL parameters
displayResults);                     // Callback function

I’d hoped that I could set this cookie with something along the lines of:

$.cookie('mwLastWriteTime', value, {domain: ".sandbox-freebase.com"});

Unfortunately, looking in FireBug at the outgoing request header I see only:

Host    api.sandbox-freebase.com
User-Agent  [...]
Accept  */*
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset  ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive  115
Connection  keep-alive
Referer [...]

But if I don’t specify the domain (or if I explicitly specify the domain of the requesting site) I can get mwLastWriteTime to show up in the headers for local requests. Since the .sandbox-freebase.com domain owns these cookies, shouldn’t they be traveling along with the GET? Or does one need a workaround of some sort?

My code is all JavaScript, and I would like to set this cookie and then call the getJSON immediately afterward.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You cannot set a cross-domain cookie, because that would open the browser (and therefore the user) to XSS attacks.

    To quote from the QuirksMode.org article that I reference above:

    Please note that the purpose of the
    domain is to allow cookies to cross
    sub-domains. My cookie will not be
    read by search.quirksmode.org because
    its domain is http://www.quirksmode.org .
    When I set the domain to
    quirksmode.org, the search sub-domain
    may also read the cookie. I cannot set
    the cookie domain to a domain I’m not
    in, I cannot make the domain
    http://www.microsoft.com . Only
    quirksmode.org is allowed, in this
    case.

    If you want to make cross-site request with cookie values you will need to set up a special proxy on a server you control that will let you pass in values to be sent as cookie values (probably via POST parameters). You’ll also want to make sure that you properly secure it, lest your proxy become the means by which someone else’s private information is “liberated”.

    • 0