We use the Clear-Site-Data header for cleaning cookies and other data on logout.
If this header is delivered with the response at https://example.com/clear-cookies, all cookies on the same domain https://example.com and any subdomains (like https://stage.example.com, etc), will be cleared out.
Now this is a problem, if other systems run on subdomains.
I also wonder what happens for domains like "example.co.uk" - would that mean that all the data for all UK company domains is cleared?
How does the browser determine which domains to clear? And can it be influcened?
We want to use it on oursystem.example.org so that it clears only oursystem.example.org and not othersystem.example.org
Deleting all cookies for an entire domain is in line with the Clear Site Data spec. I think this should be made clearer in the general description of the header values, but if you read on to the detailed algorithm for clearing cookies (section 4.2.4), it says:
We remove all the cookies for an entire registered domain, as cookies ignore the same-origin policy, and there’s a distinct risk that we’d leave applications in an ill-defined state if we only cleared cookies for a particular subdomain. Consider
accounts.google.comvsmail.google.com, for instance, both of which have cookies that signal a user’s signed-in status.
Now, you were also asking:
I also wonder what happens for domains like "example.co.uk" - would that mean that all the data for all UK company domains is cleared?
The critical phrase here is "registered domain". Determining its start and end is not always obvious for second-level domains like co.uk. However, this is what the Public Suffix List is for, which also gets referenced by the spec to define a "registered domain".
The first steps of the algorithm for cookie clearing are:
- Let registered be the registered domain of origin’s host.
- Let cookie list be the set of cookies from the cookie store whose
domainattribute is a domain-match with registered.
The spec then goes on to describe how to delete the full cookie list.
Chrome-based browsers appear to be implementing that algorithm. Firefox seems to handle it differently, i.e. only deleting cookies for the host's domain and its subdomains. Safari doesn't implement Clear-Site-Data: "cookies" at all (as of 2024).
And can it be influcened?
While I agree that the behavior can be annoying and I don't completely agree with the reasoning behind it, I don't think there is a straight-forward way to influence it.