[rcsorensen]

The impact on CDN providers is kinda scary.

To take an example we all know and love, a malicious *.cloudfront.net distribution could be setting cookies against cloudfront, breaking all your fancy static asset serving from cloudfront.

Is there a mitigation other than _always_ having to use a myappname-static.com domain name?

Thinking about this at a higher level -- there are some interesting similarities to "shared hosting" resource contention, but this time with domain names on CDNs. If somebody executes a forkbomb on your shared host, you're hosed. If somebody executes a cookiebomb on your CDN provider SLD, you're hosed.

Browser vendors could prevent this with good second level domain support. Register cloudfront, akamai, etc domain names as only hosting user-created content on third level domains. Pin large examples to the browser distribution, and allow TXT records in DNS specifying this at the top level.

[joosters]

Web browsers could also mitigate against it by limiting the size of their requests. If too many cookies have been set, throw away the older ones until the request is small enough to likely be accepted by most web servers.

It's not a perfect fix, nor does it solve the wider issue of letting one domain set a cookie for a domain that it has no authority over, but it would stop people being blocked from a site with a bizarre 500 error. Worst case, a login/ID cookie gets flushed and the user has to log in again.