Skip to content

v6.3.3: Strict cookie domain validation

Latest

Choose a tag to compare

@Preeternal Preeternal released this 17 Jun 18:54

This release fixes inherited cookie domain validation behavior that accepted substring matches instead of RFC-style domain matches.

Fixed

  • Android now rejects invalid cookie domains such as example.com for https://notexample.com.
  • iOS uses the same exact-or-parent-domain validation when setting cookies.
  • Domain validation remains case-insensitive and continues to allow exact hosts and valid parent domains.

Tests

  • Added Swift regression coverage for substring domain mismatches such as notexample.com and badexample.com.

Fixes #3