Should a public suffix be able to set cookies for itself?

[filedescriptor]

According to the example in https://publicsuffix.org/list/, the rule *.jp indicates that Cookies may not be set for bar.jp. However, during our testing we found that a public suffix can actually set cookies for itself.

To test it:

1. Go to http://www.alwaysdata.net/xxx/%0x
2. Run document.cookie="x=1; path=/";
3. Go to http://www.alwaysdata.net/yyy/%0x
4. Check document.cookie. You can see the cookie is set.

Following the same logic in the example, the cookie should not be set because there is this rule *.alwaysdata.net on the PSL.

I am wondering what the expected behavior should be as I found no indication on the algorithm provided and this is reproducible in both Chrome and Firefox.

[gerv]

@sleevi: any idea what's going on here?

[filedescriptor]

Any updates?

[mikewest]

Chrome carved out this behavior for host cookies. I believe Firefox has a similar carveout. See the discussion in https://bugs.chromium.org/p/chromium/issues/detail?id=551906 for the most recent change.

This seemed reasonable to do, as these cookies won't leak past the suffix, and supported the localhost use case we'd gotten some developer complaints about.