Why is a cross-site scripting attack on eecs485.org able to send cookies to evilserver even when the malicious script is loaded from a different server?

Using Cross site scripting attack,the attacker can steal the cookie and send it to their own server in various ways.One of them is by executing a client side script on the browser of the victim.

Explanation:

The attacker injects a payload by submitting a vulnerable form with malicious code into the database of a website that the victim visits. The victim uses his browser and request the website from the server. The browser receives the web page along with the payload(malicious code that the attacker has injected) from the server. The browser of the victim executes the malicious code which is present in the HTML body of the web page. This sends the victim's cookie to the attacker server. When the HTTP request arrives at the attackers server,the attacker can then get the cookie from that HTTP request and can use the victim's cookie.

Hence the Answer is  

Web browsers send the cookies for eecs485.org with every HTTP request that loads a script

Both shades should be exactly the same

Ithink the answer is b. hope this .