| Current Hostname | … |
|---|---|
| Protocol | … |
| Is this host a PSL entry? | … |
| Public Suffix / eTLD | … |
| Registrable Domain (eTLD+1) | … |
| Widest Allowed Cookie Domain | … |
| Name | Value | |
|---|---|---|
| No cookies | ||
document.cookie:(empty)
Cookie request header)
document.cookie in JavaScript hides HttpOnly cookies for security.
This panel makes a live fetch to the server and shows exactly what it receives —
including HttpOnly cookies that are invisible above.
Goal: Prove foo.platter-app.dev cookies are invisible on bar.platter-app.dev.
from_foo, Value: hello_from_foo, Domain: (unset)platter-app.dev is in the PSL private section, so browsers treat
foo.platter-app.dev and bar.platter-app.dev as fully separate
security origins — just like alice.github.io and bob.github.io.
No cookies leak across the boundary.
Goal: Try to set a tracking cookie spanning all subdomains.
supercookie, Value: tracking_youplatter-app.dev (the “PSL entry, REJECT” option)domain attribute matches a public suffix. Without this protection,
foo.platter-app.dev could set a .platter-app.dev cookie that
every other subdomain would send to the server — a classic cross-site tracking attack.
Goal: Set a cookie on platter-app.dev and check subdomain visibility.
root_cookie, Value: im_root, Domain: (unset)example.com, a cookie with
domain=example.com would be visible on sub.example.com.
But because platter-app.dev is itself a PSL entry, it has no “parent” to
share cookies with, and subdomains cannot inherit from it.
Goal: Try to set a cookie for bar.platter-app.dev while on foo.platter-app.dev.
cross_attempt, Domain: bar.platter-app.devfoo.platter-app.dev cannot set cookies
for bar.platter-app.dev — they share no common ancestor below the PSL boundary.
Goal: Observe the gap between document.cookie and the server’s Cookie header.
HttpOnly is a server-set flag that instructs the browser
to include the cookie in HTTP requests but never expose it to JavaScript.
This prevents XSS attacks from stealing session tokens.
The Public Suffix List is a community-maintained catalog of all domain suffixes
under which Internet users can directly register names. Originally created by Mozilla,
it is now used by all major browsers, and many other tools (curl, Go's
net/http, Python's tldextract, etc.).
.com, .co.uk, .pvt.k12.ma.usgithub.io, s3.amazonaws.com,
platter-app.dev
platter-app.dev — the base domain of this sandbox —
is listed in the private section.
| Term | Meaning | Example |
|---|---|---|
| eTLD | Effective top-level domain (the PSL entry) | platter-app.dev |
| eTLD+1 | One label to the left of the eTLD (registrable domain) | foo.platter-app.dev |
| Host-only cookie | No domain attribute; bound to exact hostname | set on foo.platter-app.dev, stays there |
Browsers enforce two PSL-based cookie rules:
document.cookie = "x=1; domain=platter-app.dev" is silently dropped
if platter-app.dev is in the PSL.
foo.platter-app.dev and bar.platter-app.dev
have different eTLD+1 values, so they cannot share cookies —
even though they are served by the same server.
| Domain | PSL entry | Effect |
|---|---|---|
alice.github.io |
github.io |
Cannot share cookies with bob.github.io |
foo.platter-app.dev |
platter-app.dev |
Cannot share cookies with bar.platter-app.dev |
shop.example.com |
com |
CAN share cookies with example.com (set domain=example.com) |
evil.co.uk |
co.uk |
Cannot set domain=co.uk supercookie |
If platter-app.dev were not in the PSL, foo.platter-app.dev
could write document.cookie = "tracker=1; domain=.platter-app.dev".
The browser would include that cookie on every request to
every subdomain — allowing one tenant to track all others.
The PSL makes this impossible.