LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How does the Same-Origin Policy apply to cookies specifically — what are the rules for setting and sending them?

Cookies follow their own SOP based on the Domain and Path attributes (which are looser than the script SOP — they're per-domain, not per-origin).

Setting (Set-Cookie: ...; Domain=...):

  • A server may only set cookies for its own host or a parent domain suffix.
  • It may not set cookies for a top-level domain (.com) — otherwise evil.com could plant cookies on every .com site.
  • The Path attribute can be set to anything (no restriction).

Sending — the browser sends a cookie if both:

  • The cookie's Domain is a suffix of the request's hostname, and
  • The cookie's Path is a prefix of the request's path.

Worked example. Server login.site.com may set cookies with:

Domain= value Allowed?
login.site.com ✅ own host
.site.com ✅ parent suffix
user.site.com ❌ sibling host, not a suffix
othersite.com ❌ different site
.com ❌ top-level domain

A cookie set with Domain=.site.com:

  • ✅ sent to login.site.com, other.site.com (subdomains of .site.com)
  • ❌ not sent to user.othersite.com (different domain)

Tip: A cookie without an explicit Domain is sent only to the exact host that set it (host-only). That's almost always what you want — set Domain only if you genuinely need to share between subdomains.

From Quiz: ISF / Web Application Security Basics | Updated: Jul 14, 2026