Host-only

When a server does not include a Domain directive the cookie is to be considered host-only, meaning that its validity is restricted to the current domain only.

This is a sort of default behavior from browsers when they receive a cookie that does not have a Domain set. You can find a small example I wrote at github.com/odino/wasec/tree/master/cookies. It’s a simple web app that sets cookies based on URL parameters, and prints cookies on the page, through some JavaScript code.

<html>
  <div id="output"/ >
  <script>
    let content = "none";

    if (document.cookie) {
      let cookies = document.cookie.split(';')
      content = ''

      cookies.forEach(c => {
        content += "<p><code>" + c + "</code></p>"
      })
    }

    document.getElementById('output').innerHTML = "Cookies on this document: <div>" + content + "</div>"
  </script>
<html>

If you follow the instructions in the README you will be able to access a webserver at wasec.local:7888, which illustrates how host-only cookies work.