Support for `include_site` on a subdomain instead of just root domain (eTLD+1)

[PawelMaj]

After reviewing the spec and documentation, it seems that support for include_site=true only works when the origin is a root domain (eTLD+1). I have a use case where the root domain is shared across a few different sites/instances (app.a.example.com, app.b.example.com). I'd like to isolate them and have the session only be scoped to each subdomain (*.a.example.com *.b.example.com), rather then shared across the root domain.

Is there a reason why the include_site functionality was scoped only to the root domain and would it be possible to expand that functionality to include subdomains? If not, do you have any suggestions on how I could isolate the sessions across different subdomains?

Note: This is somewhat related to a previous conversation I saw and was curious if this is still a possibility.

[drubery]

This isn't a possibility today. Our assumption is that a site doing what you are doing needs to have some kind of central coordination to ensure that cookies don't interfere with each other. I would imagine you can extend that central control to ensure that DBSC sessions are correctly scoped.

Can you say more about how you ensure that app.a.example.com doesn't overwrite cookies for app.b.example.com?