DCtheTall
commented
4 years ago CC @mikewest
Open sbingler opened 4 years ago
DCtheTall
commented
4 years ago CC @mikewest
davidben
commented
4 years ago Does Chrome disallow it by way of special-casing localhost, or is it because localhost is treated as an eTLD and eTLDs can't set domain attributes? I assumed it was the latter. The domain attribute seems to work just fine on http://foo1.bar.localhost and http://foo2.bar.localhost in testing.
DCtheTall
commented
4 years ago An important clarification is that including Domain=localhost in the Set-Cookie header in Chrome on localhost works, but the leading-dot Domain=.localhost would be disallowed in Chrome unless the request URL is a subdomain of localhost.
sbingler
commented
3 years ago I poked around a bit and it appears the reason is because Domain=localhost contains only a single subcomponent ("localhost"), which will always return an empty string when Chrome attempts to get the registered domain as per this function
Whether this decision was made with any thought toward "localhost" I can't say, but it does explain why a sub-domain under localhost can set a Domain cookie.
Sparked from: https://github.com/web-platform-tests/wpt/issues/26123
6265bis-06 doesn't seem to have any instructions on how to handle cookies set on/by localhost. More specifically for this issue: how the Domain attribute should be handled.
Chrome disallows this action, which makes sense to me, but this seems ripe for implementation specific behavior.
Should 6265bis take a stance here?