If the user agent is configured to reject "public suffixes", cookies with a Domain attribute should be processed according to the Public Suffix List (PSL), which may change frequently. The spec currently says "Whenever possible, user agents SHOULD use an up-to-date public suffix list", but does not specify what to do with existing Domain cookies whose domain-attribute becomes a public suffix after a PSL update.
I think the sensible thing to do would be to remove such a cookie from the cookie store entirely. (The alternative would be to convert it to a host-only cookie, but since the storage model doesn't include the origin that set the cookie, there's no way to know whether the cookie originally came from that host.)
Chrome currently keeps such a cookie, but I think that's a bug. I am not sure what other UAs do in this scenario.
abeyad
commented
3 years ago
If the user agent is configured to reject "public suffixes", cookies with a
Domainattribute should be processed according to the Public Suffix List (PSL), which may change frequently. The spec currently says "Whenever possible, user agents SHOULD use an up-to-date public suffix list", but does not specify what to do with existingDomaincookies whosedomain-attributebecomes a public suffix after a PSL update.I think the sensible thing to do would be to remove such a cookie from the cookie store entirely. (The alternative would be to convert it to a host-only cookie, but since the storage model doesn't include the origin that set the cookie, there's no way to know whether the cookie originally came from that host.)
Chrome currently keeps such a cookie, but I think that's a bug. I am not sure what other UAs do in this scenario.