RFC6265bis does not specify what happens to existing cookies when the Public Suffix List changes

[chlily1]

If the user agent is configured to reject "public suffixes", cookies with a Domain attribute should be processed according to the Public Suffix List (PSL), which may change frequently. The spec currently says "Whenever possible, user agents SHOULD use an up-to-date public suffix list", but does not specify what to do with existing Domain cookies whose domain-attribute becomes a public suffix after a PSL update.

I think the sensible thing to do would be to remove such a cookie from the cookie store entirely. (The alternative would be to convert it to a host-only cookie, but since the storage model doesn't include the origin that set the cookie, there's no way to know whether the cookie originally came from that host.)

Chrome currently keeps such a cookie, but I think that's a bug. I am not sure what other UAs do in this scenario.

[abeyad]

I'll look into this one