Cookies from domain incorrectly served on subdomain

By design Issue #8183708


Christopher F.
Jul 15, 2016
This issue is public.
Reported by 5 people

Sign in to watch or report this issue.

Steps to reproduce

  1. setup a webpage with an iframe in it
  2. domain of iframe should be a subdomain of the top page
  3. drop a cookie from the top page with cookie domain set to the top domain.
  4. view in the dev tools that the subdomain has access to that cookie.

According to RFC 2965, in order to expose cookies to subdomains, cookie domain should include a (.). I.e. can only see a cookie dropped by if the domain attribute is


Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Brad E.”

  • That blog post is dated 2009. I assume this doesn’t include the Edge browser?

  • Christopher: The Q2 and Q3 paragraphs include a test link; running in Edge shows that the problem continues to exist in the latest nightly builds of Edge.

    (The responsible code lives in WinINET, the shared network stack underneath both Edge and IE)

  • Microsoft Edge Team

    Changed Assigned To to “Travis L.”

    Changed Assigned To to “Venkat K.”

    Changed Assigned To from “Venkat K.” to “Ivan P.”

    Changed Assigned To from “Ivan P.” to “Matthew C.”

    Changed Status to “By design”

  • So is that a won’t fix? Do we seriously need to get this into ES7 to motivate fixing this decade old bug?

  • RFC 2965 was never really adopted by any browser.

    RFC 6265 is the current RFC and used by most browsers.  Per this RFC the domain attribute ignores leading dots.  The only way to get a cookie constrained to a particular domain is to not have a domain attribute which will cause the hostonly flag to be set.  Edge plans on adding hostonly support (per RFC 6265) in a later release.

    The MS Edge Team

You need to sign in to your Microsoft account to add a comment.

Sign in