In general, if you use the Set-Cookie
header in your subdomain with name=cookievalue; Domain=yourapexdomain.com
, the cookie will be applied to the apex domain yourapexdomain.com
. If you do this at the level of your Vercel Project subdomain such as myprojectname.vercel.app
, will the cookie be applied to vercel.app
?
vercel.app
is under the public suffix list for security purposes and as described in Wikipedia, one of it’s uses is to avoid supercookies. These are cookies with an origin set at the top-level or apex domain such as vercel.app
. If an attacker in control of a Vercel project subdomain website sets up a supercookie, it can disrupt any site at the level of vercel.app
or below such as anotherproject.vercel.app
.
Therefore, for your own security, it is not possible to set a cookie at the level of vercel.app
from your project subdomain.