Set-Cookie domain attribute actually needs leading dot to work

[djc]

MDN URL

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

What specific section or headline is this issue about?

Domain attribute

What information was incorrect, unhelpful, or incomplete?

Contrary to earlier specifications, leading dots in domain names (.example.com) are ignored.

Despite the specification in RFC 6265, in our testing, it appears that current browsers (Chrome, Firefox, Safari) actually need the leading dot to make cookies from subdomains work in parent domains.

What did you expect to see?

Cookies should be accessible across domains sharing a common suffix even when the Domain attribute does not specify a leading dot (as in Domain = example.com).

Do you have any supporting links, references, or citations?

No response

Do you have anything more you want to share?

No response

MDN metadata

Page report details

• Folder: en-us/web/http/headers/set-cookie
• MDN URL: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
• GitHub URL: https://github.com/mdn/content/blob/main/files/en-us/web/http/headers/set-cookie/index.md
• Last commit: 28bfd9b
• Document last modified: 2024-01-10T10:30:39.000Z

[juangir]

Hi,
I've seen also this issue with most modern Browsers.
But it seems that browsers have a lot stuff not being compliant with RFC 6265. Here Ivan Nikulin
covers a lot of problems.
I think in the MDN documentation should not state (as a fact) that cookies behave in this way. Also can be seen here in which states "if you set Domain=mozilla.org, cookies are available on mozilla.org and its subdomains like developer.mozilla.org." which in most cases is not true, and should be set to domain=.mozilla.org to be available to subdomains.

[dpchamps]

@djc do you have a repro of what you're observing?