You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
6265bis-06 doesn't seem to have any instructions on how to handle cookies set on/by localhost. More specifically for this issue: how the Domain attribute should be handled.
Chrome disallows this action, which makes sense to me, but this seems ripe for implementation specific behavior.
Should 6265bis take a stance here?
The text was updated successfully, but these errors were encountered:
Does Chrome disallow it by way of special-casing localhost, or is it because localhost is treated as an eTLD and eTLDs can't set domain attributes? I assumed it was the latter. The domain attribute seems to work just fine on http://foo1.bar.localhost and http://foo2.bar.localhost in testing.
An important clarification is that including Domain=localhost in the Set-Cookie header in Chrome on localhost works, but the leading-dot Domain=.localhost would be disallowed in Chrome unless the request URL is a subdomain of localhost.
I poked around a bit and it appears the reason is because Domain=localhost contains only a single subcomponent ("localhost"), which will always return an empty string when Chrome attempts to get the registered domain as per this function
Whether this decision was made with any thought toward "localhost" I can't say, but it does explain why a sub-domain under localhost can set a Domain cookie.
Sparked from: web-platform-tests/wpt#26123
6265bis-06 doesn't seem to have any instructions on how to handle cookies set on/by localhost. More specifically for this issue: how the Domain attribute should be handled.
Chrome disallows this action, which makes sense to me, but this seems ripe for implementation specific behavior.
Should 6265bis take a stance here?
The text was updated successfully, but these errors were encountered: