6265bis doesn't have an opinion on localhost cookies

[sbingler]

Sparked from: web-platform-tests/wpt#26123

6265bis-06 doesn't seem to have any instructions on how to handle cookies set on/by localhost. More specifically for this issue: how the Domain attribute should be handled.

Chrome disallows this action, which makes sense to me, but this seems ripe for implementation specific behavior.

Should 6265bis take a stance here?

[DCtheTall]

CC @mikewest

[davidben]

Does Chrome disallow it by way of special-casing localhost, or is it because localhost is treated as an eTLD and eTLDs can't set domain attributes? I assumed it was the latter. The domain attribute seems to work just fine on http://foo1.bar.localhost and http://foo2.bar.localhost in testing.

[DCtheTall]

An important clarification is that including Domain=localhost in the Set-Cookie header in Chrome on localhost works, but the leading-dot Domain=.localhost would be disallowed in Chrome unless the request URL is a subdomain of localhost.

[sbingler]

I poked around a bit and it appears the reason is because Domain=localhost contains only a single subcomponent ("localhost"), which will always return an empty string when Chrome attempts to get the registered domain as per this function

Whether this decision was made with any thought toward "localhost" I can't say, but it does explain why a sub-domain under localhost can set a Domain cookie.