I use Google Finance, Yahoo Finance, Marketwatch, Bloomberg and the WSJ stock pages very frequently and can confirm that Google Finance was on finance.google.com until quite recently. Pretty sure it was there earlier this year.
Yes, but Google Finance is on google.com/finance (for some reason; I'm sure it used to be finance.google.com at some point...).
Cookies set for just subdomain.hostname.com can only be "seen by" that particular subdomain, while cookies set for hostname.com can be seen from hostname.com and any and all subdomains. I think that's why they do it constantly, at least stuff like www.google.com/glass certainly makes no sense otherwise. Why not make a fancy new domain for that? I think it's cookie greed.
cookie greed doesn't explain it, because they don't issue any cookies for www.google.com, or at least, I don't have any; they do issue cookies for .google.com, which www and finance can access equally. It's either a branding thing, or a they paid for the fancy load balancer so they're going to use it thing.
That's a good point, I stand corrected. Of course, if you wanted to be "minimal" about cookies, you'd have to use a subdomain, but using one doesn't mean anything by itself.
The importance of httpOnly had somehow escaped me until today :-)