Skip to main content

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

10
  • 7
    @roelleor - it's the other way around. rfc6265 was written to summarize how cookies were actually handled in practice :) yes, the rfc is a pretty accurate reflection of how major browsers behave. my recent tests on browsers confirmed that. although, they may differ on corner cases involving public suffixes. Commented Jul 9, 2015 at 14:07
  • 3
    @UpTheCreek - according to rfc6265, leading dot should be ignored by client Commented Dec 8, 2015 at 21:05
  • 3
    Isn't it strange that x.y.z.com can set a cookie to z.com ? Commented Mar 18, 2019 at 7:48
  • 4
    So if x.y.z.com can set a cookie to y.z.com, and a cookie with domain y.z.com is applicable to w.y.z.com... Does that mean that x.y.z.com can set a cookie to w.y.z.com? Commented May 7, 2019 at 3:38
  • 4
    @Ioanna if you are talking the in the response from x.y.z.com, the domain attribute value for the cookie is w.y.z.com, then I think the answer is no. x.y.z.com cannot directly set the cookie whose domain to be w.y.z.com, as x.y.z.com does not domain-match the w.y.z.com, as latter is not a suffix of the former. However, I think x.y.z.com can indirectly set a cookie for w.y.z.com, by setting the cookie for y.z.com and that cookie will be sent to w.y.z.com as well, assuming y.z.com is not a public suffix Commented Jun 25, 2021 at 5:50