P粉3646420192023-08-22 17:23:36
According to RFC2965 3.3.1 (which may or may not be followed by browsers), unless the port is explicitly specified via the port parameter of the Set-Cookie header , otherwise the cookie may or may not be sent to any port.
Google's Browser Security Manual states: By default, the scope of a cookie is limited to all URLs on the current hostname and is not bound to port or protocol information. A few lines later, There is no way to restrict the cookie to a single DNS name [...] Likewise, there is no way to restrict it to a specific port. (Also, keep in mind that IE does not consider port numbers in its same-origin policy at all.)
Therefore, it seems unsafe to rely on any well-defined behavior here.
P粉4884647312023-08-22 12:31:49
The current cookie specification is RFC 6265, which supersedes RFC 2109 and RFC 2965 (these two RFCs are now marked as "historical") , and standardizes the syntax for the actual usage of cookies. It clearly states:
besides: