I have a question related to Share cookie between subdomain and domain - what would happen if I set the domain while setting cookie as .com? Would the cookie be available to all .com websites?
Asked
Active
Viewed 159 times
1 Answers
1
Well-configured user-agents should reject such cookies, as explained in RFC 6265 section 5.3:
If the user agent is configured to reject "public suffixes" and the domain-attribute is a public suffix:
If the domain-attribute is identical to the canonicalized request-host:
- Let the domain-attribute be the empty string.
Otherwise:
- Ignore the cookie entirely and abort these steps.
NOTE: A "public suffix" is a domain that is controlled by a public registry, such as "com", "co.uk", and "pvt.k12.wy.us". This step is essential for preventing attacker.com from disrupting the integrity of example.com by setting a cookie with a Domain attribute of "com". Unfortunately, the set of public suffixes (also known as "registry controlled domains") changes over time. If feasible, user agents SHOULD use an up-to-date public suffix list, such as the one maintained by the Mozilla project at http://publicsuffix.org/.
CodeCaster
- 131,656
- 19
- 190
- 236
-
What does it mean by `Let the domain-attribute be the empty string.` ? If domain attribute is empty, then what happens ? – Number945 Dec 12 '20 at 19:04