@dshafik Where are they about to end up? Probably example.com.
@dshafik The Host: header is used by the HTTP server to determine what gets served. If you GET / by asking “example.org” but say “Host: example.com” then the origin is example.com.
The UA is expected to use the vhost (Host header), not the DNS name used. The domainspec on the cookie itself must then be unspecified or exactly “example.com”. See https://en.m.wikipedia.org/wiki/HTTP_cookie for more.
@dshafik I'd imagine .COM, based on curl's behavior
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!