It's more opting an entire sub-domain into a control group where the only cookies it gets are those that it sets and nothing more (except maybe whitelisted cookies?) No idea how to make that happen without adding yet more craziness into the dumpster that is cookies.

I don't want to create a new policy language with carveouts and etc. But I could imagine something like setting a `__Cookie-Config=HttpOnly,HostOnly,SecureOnly; Path=/.well-known/cookie-config; Secure; HttpOnly` that would reasonably restrict all cookies on a given host.

I haven't written anything down because I don't think anyone would use it without a more capacious policy language with carveouts and lists and etc, and I don't want to design or implement that. :)

I wonder if one could get by with something in the middle. Let's say I have github.com and is leaks a few cookies purposefully to subdomains. Now I want to add support.github.com and let them opt out/detach from github.com cookies.

I don't deny it wouldn't take long before folks started asking for a flexible policy language to construct any imaginable policy.

I think it's pretty reasonable for `xxx.github.com` to opt itself into `__Host-`-style behavior for all of its cookies. That's a nice, binary decision that seems like we could hack something together to support. I worry about the complexity of allowing certain cookies.

The main goal being able to use the domain “brand” for things you would otherwise just put on a separate domain. SAS support sites are a great example of this since they are both wildly common and folks desire for them to be affiliated with the parent domain brand-wise.

SAS generally assumes control of `xxx.whatever.com`. I think it's pretty reasonable to give them the ability to isolate themselves, and doing so along the well-lit `__Host-` path by treating every cookie as though it lacked the `Domain` attribute seems pretty reasonable.

I'm sure one could concoct lots of arbitrary scenarios folks would like to wire up. But, the base case of being able to detach a subdomain from its parent is a pretty useful primitive.

Do you think it's the subdomains' responsibility to do so, or the apex domain's responsibility to set a policy for subdomains? I tend towards the latter, but I'm not sure what it would mean for the policy language's complexity.