OK, I've now implemented a very silly check, but at least it will
cover most cases of usage. Setting the cookie for a second-level
domain (e.g. ".foo.bar") is allowed if:
+ The top-level domain is one of the several recognized ones
OR
+ Its subdomain is more than three characters long.
This means that ".x.org" will be accepted, whereas ".x.uk" won't.
Unfortunately, it also means that ".foo.de" won't be accepted, and
".pharmacien.fr" will. The full "pros and cons" analysis is pasted
from the source:
.co.org -> works because the TLD is known
.co.uk -> doesn't work because "co" is only two chars long
.com.au -> doesn't work because "com" is only 3 chars long
.cnn.uk -> doesn't work because "cnn" is also only 3 chars long (ugh)
.cnn.de -> doesn't work for the same reason (ugh!!)
.abcd.de -> works because "abcd" is 4 chars long
.img.cnn.de -> works because it's not trying to set the 2nd level domain
.cnn.co.uk -> works for the same reason
Until someone provides something better, I believe this is the correct
solution under the constraint of not having a catalog of domains and
their properties.
