[lynxaegon]

It's really interesting. The problem is that i don't see any fix for it. The only way would be to update the browsers, or maybe use a plugin to block such attacks.

[jffry]

Or serve the untrusted content from a sub-subdomain, e.g. "foo.bar.CDN_HOST.com", so that you could only bomb bar.CND_HOST.com and not the entire domain

[mavhc]

You'd think a higher level domain should be able to specify whether a subdomain can set cookies for it or not.

[jffry]

That would be nice, but it would have a lot of ramifications. Before setting the cookie, the browser would need to know if it's allowed, so presumably it would have to load some file. Perhaps this could be done in a manner similar to CORS requests

[homakov]

Content-Security-Policy: can-set-cookies: no!

BTW if JS is of we can use <meta http-equiv Set Cookie>

[twic]

It might be better to allow:

Content-Security-Policy: can-set-cookies-for-parent-domain: no!

There's no harm in letting haxx0r.blogspot.com set cookies for haxx0r.blogspot.com. It's only cookies for blogspot.com that should be restricted.

[jffry]

Well OK then.