5

We use the Clear-Site-Data header for cleaning cookies and other data on logout.

If this header is delivered with the response at https://example.com/clear-cookies, all cookies on the same domain https://example.com and any subdomains (like https://stage.example.com, etc), will be cleared out.

Now this is a problem, if other systems run on subdomains.

I also wonder what happens for domains like "example.co.uk" - would that mean that all the data for all UK company domains is cleared?

How does the browser determine which domains to clear? And can it be influcened?

We want to use it on oursystem.example.org so that it clears only oursystem.example.org and not othersystem.example.org

Alex
  • 32,506
  • 16
  • 106
  • 171

1 Answers1

0

After looking into the w3c specification it seems like the Clear-Site-Data will clear only the specified domain including it subdomains. So if you clear example.co.uk it will also clear system.example.co.uk. If you clear anothersystem.example.co.uk it will also clear a.anothersystem.example.co.uk and all its subdomains. Here is the example that helped me understand it.

So if you clear oursystem.example.org it will have NO effects on othersystem.example.org but it will have effects on a.oursystem.example.org.

Dharman
  • 30,962
  • 25
  • 85
  • 135
Halil Bahar
  • 31
  • 1
  • 1
  • I don't think this was true in our case. It is not possible to specify a domain. We got a response from a subdomain in it also head effects on sibling-domains. – Alex Dec 16 '21 at 10:43
  • I tested it once again, it's not easy to reproduce, but it seems to clean the full domain, not only the subdomain I am on on Chrome 94. I am wondering if the CORS header is influencing the cleared scope. – Alex Dec 19 '21 at 11:01