Are cookies sent with image requests?

Question

If I have a site (e.g. foo.com) and on the home page of foo.com, there is an image request where the src=bar.com..., will the cookies on the bar.com domain be sent to the ba

Answer 1

Yes cookies are sent on all requests. This includes "img" and "script" as well as XMLHttpRquest calls from javascript and can be a security issue on script tags as scripts loaded by one website can load scripts from another site and will send their authentication cookies too. This can be exploited to steal data.