Maybe we could introduce the concept of subdomains. Paypal could, for example, have a corp.paypal.com address that points to their corporate blog. I know, a bit out there, but maybe DNS2 will ship with this feature.
Maybe we could introduce the concept of subdomains. Paypal could, for example, have a corp.paypal.com address that points to their corporate blog. I know, a bit out there, but maybe DNS2 will ship with this feature.
With subdomains, you might leak cookies accidentally or maliciously to the root domain. They are not as separated as real domains are.
Then don't put anything on the root domain and use www.paypal.com for the main operations. corp.paypal.com's cookies are separated from www.paypal.com's.
But paypal.com's cookies are shared with corp.paypal.com and, depending on headers and fields, possibly vice versa.
My browser lists 8 .paypal.com cookies and 2 www.paypal.com cookies when I visit www.paypal.com. Those cookies are shared with https://fastlane.paypal.com/ (some random subdomain I found online).
They can separate those cookies out, of course, but they don't need to if they use separate domains and the cheapest work is work that doesn't need doing.
They also seem to own paypal.ai which mcp.paypal.com redirects to the docs of it could also just be a branding thing.
www.paypal.com can create cookie for paypal.com and that cookie will be sent for corp.paypal.com requests. And vice-versa, of course.