The analogy that comes to mind is this is like telling folks not to use third party library code for dependencies because of the risks. It’s 2020 and nearly nobody writes/runs every bit of software associated with running their business. This should be doable.

What would be helpful here? Would opting into `__Host-` behavior for a whole site in some way be helpful? (I have terrible ideas about how to do this with a specially-named configuration cookie set from the site’s apex domain (with host-specific overrides) that I should write up)

It's more opting an entire sub-domain into a control group where the only cookies it gets are those that it sets and nothing more (except maybe whitelisted cookies?) No idea how to make that happen without adding yet more craziness into the dumpster that is cookies.

I don't want to create a new policy language with carveouts and etc. But I could imagine something like setting a `__Cookie-Config=HttpOnly,HostOnly,SecureOnly; Path=/.well-known/cookie-config; Secure; HttpOnly` that would reasonably restrict all cookies on a given host.

I haven't written anything down because I don't think anyone would use it without a more capacious policy language with carveouts and lists and etc, and I don't want to design or implement that. :)

I wonder if one could get by with something in the middle. Let's say I have github.com and is leaks a few cookies purposefully to subdomains. Now I want to add support.github.com and let them opt out/detach from github.com cookies.

I don't deny it wouldn't take long before folks started asking for a flexible policy language to construct any imaginable policy.

I think it's pretty reasonable for `xxx.github.com` to opt itself into `__Host-`-style behavior for all of its cookies. That's a nice, binary decision that seems like we could hack something together to support. I worry about the complexity of allowing certain cookies.

The main goal being able to use the domain “brand” for things you would otherwise just put on a separate domain. SAS support sites are a great example of this since they are both wildly common and folks desire for them to be affiliated with the parent domain brand-wise.

SAS generally assumes control of `xxx.whatever.com`. I think it's pretty reasonable to give them the ability to isolate themselves, and doing so along the well-lit `__Host-` path by treating every cookie as though it lacked the `Domain` attribute seems pretty reasonable.