Since document.cookie gets the current web page cookies, if I put my XSS payload in a URL shortener website, it will not work, right?
I mean it will get the cookies of that URL shortener website, not the target. Is this right?
I don't mean the URL shorteners are doing it on purpose, I mean is it a side effect of using short url?
URL shortener normally only redirects your request to a different server, they do not proxy that request. The idea of the URL shortener is to keep the complete URL and just make it shorter alias.
So it won't prevent XSS attack (at least not the majority of XSS attack types)