@dshafik Where are they about to end up? Probably example.com.
@dshafik The Host: header is used by the HTTP server to determine what gets served. If you GET / by asking “example.org” but say “Host: example.com” then the origin is example.com.
The UA is expected to use the vhost (Host header), not the DNS name used. The domainspec on the cookie itself must then be unspecified or exactly “example.com”. See https://en.m.wikipedia.org/wiki/HTTP_cookie for more.
@dshafik I'd imagine .COM, based on curl's behavior
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either! We adhere to an adapted version of the TootCat Code of Conduct and have documented a list of blocked instances. Ash is the admin and is supported by Fuzzface, Brian!, and Daniel Glus as moderators. Hosting costs are largely covered by our generous supporters on Patreon – thanks for all the help!