@dshafik Where are they about to end up? Probably example.com.
@dshafik The Host: header is used by the HTTP server to determine what gets served. If you GET / by asking “example.org” but say “Host: example.com” then the origin is example.com.
The UA is expected to use the vhost (Host header), not the DNS name used. The domainspec on the cookie itself must then be unspecified or exactly “example.com”. See https://en.m.wikipedia.org/wiki/HTTP_cookie for more.
@dshafik I'd imagine .COM, based on curl's behavior
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!