When you are served a web page, who builds the DOM document? Is it strictly the server printing HTML? How is the browser involved? I am specifically interested in knowing how is the document.cookie property populated.
A) The server populates document.cookie
- The browser stores a cookie for foobar.com in the users hard drive.
- The next time foobar.com is visited, the browser presents all cookies for foobar.com to the server.
- The server builds the DOM document.cookie property based on these cookies.
B) The browser populates document.cookie
- The browser stores a cookie for foobar.com in the users hard drive.
- The next time foobar.com is visited, the server goes on about constructing and serving the HTML.
- Somewhere before or after the browser grabs all the cookies on the hard drive and populates document.cookie.
I am interested in this information because I'm studying how cookie stripping at proxy servers such as Varnish and Squid can affect cookies. If document.cookie was built by the server (option A above), then I would assume cookie stripping by proxies would affect the document.cookie property. I am however party inclined to think B is the case since I have a directive in a Varnish server to specifically strip a cookie, but the data of the cookie remains persistent in document.cookie even after stripping it from the request.
This question is especially important for people who have websites behind Varnish, since a request that comes attached with a cookie negates the use of cached data and generates a back-end hit.