Comment 46 for bug 44062

Due to historical browser restrictions of 20 cookies per site I'd be extremely
surprised to ever see 40 or more (20 host, 20 domain) in a real life case. Your
performance numbers sound great.

Jacek Piskozub writes in comment 42
>> but other X .legit and Y.legit do purposefully share cookies.
>
>Well, the fact that X and Y purposefully share cookies needs not mean that I
>want to show my X cookies to Y.

Then you want an option to disallow domain cookies, which is not this bug and
will break most large/complex/commercial sites on the web. Once you allow domain
cookies there is no legitimate set of rules that can be implemented on the
browser that can account for how humans will subdivide various domains into
cooperative and independent parts.

Ian Thomas writes in comment 43
> I just thought of a domain worse than .jp - .name.

Another example that shows we'll never solve this solely on the browser side.
Let's get a reasonable blacklist going based on the currently known web (this
bug) and then also provide a mechanism for future sites to be able to protect
themselves by being able to check the origin of a cookie. It looks like Apache
has support for both rfc2109 and rfc2965 style cookies, but defaults to
Netscape-style.