Cookies Set on a Public Suffix Domain Are Considered Cross-Origin

Setting a cookie doesn’t always have the same behavior. If you set a cookie on a domain listed in the public suffix list using SameSite=strict, it will get blocked by CORS even if they request and the cookie are coming from the same domain.

This makes sense for certain domains that are primarily used to host the sites of multiple users like compute.amazonaws.com for AWS resources or githubpreview.dev which serves preview for GitHub Codespaces. You wouldn’t want a different user hosted on the same domain to be able to set cookies for your users’ site because that would be a security issue.

A workaround is to use SameSite=none and the prerequisite Secure attribute to set the cookie, but this effectively allows cross site cookies which requires other security measures to lock down.

See also:

  • Running Docker Compose in Codespaces

    Using the built-in docker-compose configuration in GitHub Codespaces is limited. It’s better to run docker-compose inside the Codespace but this requires a docker-in-docker setup which is finicky.