The request-host is the name of the host, as known by the user agent,
to which the user agent is sending an HTTP request or from which it
is receiving an HTTP response (i.e., the name of the host to which it
sent the corresponding HTTP request).
The term request-uri is defined in Section 5.1.2 of [RFC2616].
According to https://tools.ietf.org/html/rfc6265#section-5.4 domain matching works on the request-host (with the unclear definition above).
The request-uri consists of the Host header and the abs_path, and the request-host sounds more like the r.URL.Host.
On the other hand: curl seems to use the Host header....
@vdobler What is the intended purpose of allowing outbound requests where r.Host != r.URL.Host?
When I issue outbound requests where r.Host != r.URL.Host, my intent is to mimic DNS resolution:
r.Host is what my user has in their address bar
r.URL.Host is where the DNS for r.Host resolves
Having this separation allows me to mimic a server that has multiple hosts pointed at it, and generate different responses depending on the Host.
Since I'm imagining r.Host is what my user has in their address bar, it's also where I'm expecting cookies to be set. But maybe I'm thinking about this all wrong?
Another exercise that might be helpful is to think about things from the server's perspective. r.URL.Host doesn't exist on the server, so when it issues SetCookie it expects the cookie to be set on the incoming request's r.Host.