[yahelc]

No, cookies can be restricted to paths, it's just less commonly utilized.

https://developer.mozilla.org/en-US/docs/Web/API/Document/co...

[tptacek]

They can be, but the restriction isn't useful, because the Javascript same-origin policy doesn't reliably defend the boundary.

[dgoldstein0]

exactly. It still boggles my mind that browsers don't send up the path and domain of a cookie when sending the name & value with a request.

for anyone interested in the topic, https://www.usenix.org/system/files/conference/usenixsecurit... is a must read