可以针对.com之类的顶级域设置cookie吗

Can cookie be set against top level domain like .com

我有一个与 Share cookie between subdomain and domain 有关的问题 - 如果我在将 cookie 设置为 .com 的同时设置域,会发生什么情况?所有 .com 网站都可以使用该 cookie 吗?

配置良好的用户代理应该拒绝此类 cookie,如 RFC 6265 section 5.3 中所述:

  1. If the user agent is configured to reject "public suffixes" and the domain-attribute is a public suffix:
  • If the domain-attribute is identical to the canonicalized request-host:

    • Let the domain-attribute be the empty string.
  • Otherwise:

    • Ignore the cookie entirely and abort these steps.

NOTE: A "public suffix" is a domain that is controlled by a public registry, such as "com", "co.uk", and "pvt.k12.wy.us". This step is essential for preventing attacker.com from disrupting the integrity of example.com by setting a cookie with a Domain attribute of "com". Unfortunately, the set of public suffixes (also known as "registry controlled domains") changes over time. If feasible, user agents SHOULD use an up-to-date public suffix list, such as the one maintained by the Mozilla project at http://publicsuffix.org/.