OK, I've now implemented a very silly check, but at least it will cover most cases of usage. Setting the cookie for a second-level domain (e.g. ".foo.bar") is allowed if:
+ The top-level domain is one of the several recognized ones OR + Its subdomain is more than three characters long. This means that ".x.org" will be accepted, whereas ".x.uk" won't. Unfortunately, it also means that ".foo.de" won't be accepted, and ".pharmacien.fr" will. The full "pros and cons" analysis is pasted from the source: .co.org -> works because the TLD is known .co.uk -> doesn't work because "co" is only two chars long .com.au -> doesn't work because "com" is only 3 chars long .cnn.uk -> doesn't work because "cnn" is also only 3 chars long (ugh) .cnn.de -> doesn't work for the same reason (ugh!!) .abcd.de -> works because "abcd" is 4 chars long .img.cnn.de -> works because it's not trying to set the 2nd level domain .cnn.co.uk -> works for the same reason Until someone provides something better, I believe this is the correct solution under the constraint of not having a catalog of domains and their properties.