HTTP cookie: Difference between revisions

HttpOnly cookies can only be used when transmitted via [[HTTP]] (or [[HTTP Secure|HTTPS]]). They are not accessible through non-HTTP APIs such as [[JavaScript]]. This restriction eliminates the threat of cookie theft via cross-site scripting (XSS), while leaving the threats of [[cross-site tracing]] (XCT) and [[cross-site request forgery]] (CSRF) intact.

 

Normally, a cookie's ___domain attribute will match the ___domain that is shown in the web browser's address bar. This is called a '''first-party cookie'''. '''Third-party cookies''', however, belong to domains ''different'' from the one shown in the address bar. These sorts of cookies typically appear when web pages feature content, such as banner advertisements, from external websites. This opens up the potential for tracking the user's browsing history, and is often used by advertisers in an effort to serve relevant advertisements to each user.