Hacker News new | ask | show | jobs
by tptacek 3233 days ago
They can be, but the restriction isn't useful, because the Javascript same-origin policy doesn't reliably defend the boundary.
1 comments
dgoldstein0 3233 days ago
exactly. It still boggles my mind that browsers don't send up the path and domain of a cookie when sending the name & value with a request.

for anyone interested in the topic, https://www.usenix.org/system/files/conference/usenixsecurit... is a must read

link