It doesn’t work like this. Cookie domains, like cookie paths, are not a security feature because scripts in documents can manipulate other documents that are considered by the browser to have the same origin. A site can’t change the origin rules, the origin for both ‘awesome.example.org’ and ‘tracking-you.example.org’ both is example.org .