This page is about the domain property of a cookie 1) that is part of the scope that determine to which resource the browser cookies are added to the request (ie returned to the server).
The Domain attribute specifies the hosts (port excluded) to which the cookie will be sent.
Setting the cookie domain value to all subdomains (i.e., *.website.com) will sent all this cookie automatically to all sub-domain HTTP request and as cookie may also holds credentials information (ie session cookie), great care should be taken to set the domain as restrictive as possible.
If the Domain attribute is omitted, the user agent will return the cookie only to the origin server.
Some existing user agents treat an absent Domain attribute as if the Domain attribute were present and contained the current host name. These user agents will erroneously send the cookie to www.example.com as well.
The domain of a cookie is set by the server via the Set-Cookie header and not by the user-agent (browser).
In javascript, setting cookies to foreign domains are silently ignored.
Example for a first party from foo.example.com, the user agent (browser) will :
If the apex/registered domain of the cookie domain does not match the apex domain of the requested URL, the cookie is ignored and you get the below warning.
This set-cookie was blocked because its Domain attribute was invalid with regards to the current host url
public suffixes such as com or co.uk are rejected.