Quiz Entry - updated: 2026.07.14
How does the Same-Origin Policy apply to cookies specifically — what are the rules for setting and sending them?
Cookies follow their own SOP based on the Domain and Path attributes (which are looser than the script SOP — they're per-domain, not per-origin).
Setting (Set-Cookie: ...; Domain=...):
- A server may only set cookies for its own host or a parent domain suffix.
- It may not set cookies for a top-level domain (
.com) — otherwiseevil.comcould plant cookies on every.comsite. - The
Pathattribute can be set to anything (no restriction).
Sending — the browser sends a cookie if both:
- The cookie's
Domainis a suffix of the request's hostname, and - The cookie's
Pathis a prefix of the request's path.
Worked example. Server login.site.com may set cookies with:
Domain= value |
Allowed? |
|---|---|
login.site.com |
✅ own host |
.site.com |
✅ parent suffix |
user.site.com |
❌ sibling host, not a suffix |
othersite.com |
❌ different site |
.com |
❌ top-level domain |
A cookie set with Domain=.site.com:
- ✅ sent to
login.site.com,other.site.com(subdomains of.site.com) - ❌ not sent to
user.othersite.com(different domain)
Tip: A cookie without an explicit Domain is sent only to the exact host that set it (host-only). That's almost always what you want — set Domain only if you genuinely need to share between subdomains.