Setting a cookie for a different domain does not work

[Gallaecio]

Given a request like:

Request(
    url="https://a.example",
    cookies=[
        {
            'name': 'foo',
            'value': 'bar',
            'domain': 'b.example',
        },
    ]
)

The cookie download middleware will discard the cookie because b.example does not match¹ a.example. The cookie will not only be ignored for the purpose of sending this specific request, which is OK, but it will not be added to the cookie jar either, meaning that if a.example redirects to b.example, the follow-up request to b.example is not going to include this cookie either.

I think we need to make it so that domain-based filtering does not keep a cookie out of the cookie jar, so that we can set a cookie for a different domain on a request with the goal of having that cookie reach the right domain in a redirect scenario.

But we need to make sure that we keep applying the domain filtering to cookies that come in the Set-Cookie header in a response, as doing otherwise would be a security issue.

---

¹ Understanding by “match” what the cookie specification understands when it defines how user agents must handle Set-Cookie headers.

[emarondan]

@Gallaecio Is it ok if I work on this?