But it turns out that the JavaScript from the site bar.com can only access cookies set by bar.com and not any other.

但事实证明，来自 bar.com 站点的 JavaScript 只能访问 bar.com 设置的 cookie，而不能访问其他任何 cookie。

That isn't true. What matters is where the HTML document containing the <script>element is, not the URL of the JS file that said <script>mentions in the src attribute.

那不是真的。重要的是包含<script>元素的 HTML 文档在哪里，而不是<script>在 src 属性中提到的 JS 文件的 URL 。

I suspect your problem is that you are accessing document.cookieswhen the property is called document.cookie(Singular!)

我怀疑您的问题是您在document.cookies调用该属性时正在访问document.cookie（单数！）

They load scripts insidethe attacked page.

他们在受攻击的页面内加载脚本。

For instance, when comments in a blog system get compromised, they contain a scriptelement that is executed when the page is rendered. This script can get the cookies and send it to the attacker's server.

例如，当博客系统中的评论遭到破坏时，它们会包含一个script在页面呈现时执行的元素。该脚本可以获取 cookie 并将其发送到攻击者的服务器。

That's why you should nevertrust user input and disallow at least certain tags in comments (or translate every <to <). But don't do this on the client side, as this prevention technique can easily be circumvented; test for (and change) malicious input on the server side.

这就是为什么您永远不应该相信用户输入并在评论中至少禁止某些标签（或将每个标签翻译<为<）。但是不要在客户端这样做，因为这种预防技术很容易被规避；在服务器端测试（和更改）恶意输入。

You can only access cookies which have been set for the given domain name. From the Wikipedia article on cookies:

您只能访问为给定域名设置的 cookie。来自维基百科关于 cookie 的文章：

Beside the name/value pair, a cookie may also contain an expiration date, a path, a domain name, and whether the cookie is intended only for encrypted connections. RFC 2965 mandates cookies have a version number, but this is usually omitted. These pieces of data follow the name=newvalue pair and are separated by semicolons. For example, a cookie can be created by the server by sending a line Set-Cookie: name=newvalue; expires=date; path=/; domain=.example.org.

The domain and path tell the browser that the cookie has to be sent back to the server when requesting URLs of a given domain and path. If not specified, they default to the domain and path of the object that was requested. As a result, the domain and path strings may tell the browser to send the cookie when it normally would not. For security reasons, the cookie is accepted only if the server is a member of the domain specified by the domain string.

除了名称/值对之外，cookie 还可能包含到期日期、路径、域名以及 cookie 是否仅用于加密连接。RFC 2965 要求 cookie 有一个版本号，但这通常被省略。这些数据片段跟在 name=newvalue 对之后，并用分号分隔。例如，服务器可以通过发送一行 Set-Cookie: name=newvalue; 来创建 cookie。到期=日期；路径=/；域=.example.org。

域和路径告诉浏览器在请求给定域和路径的 URL 时必须将 cookie 发送回服务器。如果未指定，则默认为所请求对象的域和路径。因此，域和路径字符串可能会告诉浏览器在通常不会发送 cookie 的情况下发送 cookie。出于安全原因，仅当服务器是域字符串指定的域的成员时才接受 cookie。

If foo.comsent a cookie which had the domain name of bar.com, or even .com, then JavaSCript code on bar.comcould read that cookie. However most browsers are configured to only accept cookies when the domain name matches, and would reject such a cookie.

如果foo.com发送的 cookie 的域名为bar.com，甚至是.com，则 JavaSCRipt 代码bar.com可以读取该 cookie。然而，大多数浏览器配置为仅在域名匹配时接受 cookie，并且会拒绝此类 cookie。