This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author xtreak
Recipients Windson Yang, martin.panter, ned.deily, orsenthil, serhiy.storchaka, xtreak, 西田雄治
Date 2018-12-27.06:58:31
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Also looking at the docs for different frameworks like [Flask]( and [Django]( they recommend setting Domain attribute only for cross-domain cookies.

From Django docs

> Use domain if you want to set a cross-domain cookie. For example, domain="" will set a cookie that is readable by the domains,, etc. Otherwise, a cookie will only be readable by the domain that set it.

When there is no domain specified then the frameworks seem to set the cookie only for the host only as per [RFC 6265]( So domain attribute is set all the time and it's just that if the domain attribute is set explicitly by the server with the set_cookie function in the frameworks then the cookiejar has domain_specified set along with dot prefixed for the domain enabling stricter validations. I don't know about the metrics of setting the domain attribute vs not setting it. Checking with a simple Flask app and set_cookie without domain parameter the cookies are passed to suffix domains. With domain passed to set_cookie has dot prefixed and the cookies are not passed to suffix domains.

I also looked into other implementations

* aiohttp - uses cookiejar but has custom domain checks and update cookie methods at . Thus it's not affected when tested.
* golang implementation -
Date User Action Args
2018-12-27 06:58:33xtreaksetrecipients: + xtreak, orsenthil, ned.deily, martin.panter, serhiy.storchaka, Windson Yang, 西田雄治
2018-12-27 06:58:31xtreaksetmessageid: <>
2018-12-27 06:58:31xtreaklinkissue35121 messages
2018-12-27 06:58:31xtreakcreate