The Domain attribute specifies the hosts (port excluded) to which the cookie will be sent.
Setting the cookie domain value to all subdomains (i.e., *.website.com) will sent all this cookie automatically to all sub-domain HTTP request and as cookie may also holds credentials information (ie session cookie), great care should be taken to set the domain as restrictive as possible.
- if the value of the Domain attribute is:
If the Domain attribute is omitted, the user agent will return the cookie only to the origin server.
Some existing user agents treat an absent Domain attribute as if the Domain attribute were present and contained the current host name. These user agents will erroneously send the cookie to www.example.com as well.
First party domain
- or foo.example.com
- or baz.foo.example.com
Third party domain
This set-cookie was blocked because its Domain attribute was invalid with regards to the current host url
Top Level Domain
public suffixes such as com or co.uk are rejected.