We have received feedback from site authors who have been participating in the CHIPS origin trial that the no-Domain attribute requirement is making CHIPS more difficult to adopt.

The purpose of the no-Domain attribute requirement is that it ensures partitioned cookies are keyed on the hostname of the request URL and not sent across subdomains, which provides security benefits. For example, the no-Domain requirement would prevent example.com from sharing its partitioned cookies across shop.example.com and pay.example.com. The goal of this requirement is to guarantee that sites do not receive cross-site cookies from malicious/compromised subdomains, and mitigates against using Domain cookies as a channel to leak data across subdomains (at least in cross-site contexts where partitioned cookies are used).

However, this would be a paradigm shift on the web that adds additional churn for sites that are already migrating off of third-party cookies. /issues/39 describes an example of a common architecture that will need to be adapted to this new requirement.

Since the primary goal of CHIPS is to facilitate the deprecation of third-party cookies, it seems reasonable to open a conversation about whether the no-Domain requirement is necessary.