[Feature Request]: Allow cookies without leading dot (current domain only)

[emkcloud]

Current Behavior

When configuring cookieAttributes in aws-rum-web, the library automatically adds the domain with a leading dot (.example.com), even when the domain attribute is not specified or set to undefined. This causes cookies to be accessible across all subdomains.

const config = {
    allowCookies: true,
    cookieAttributes: {
        path: '/',
        sameSite: 'Strict',
        secure: true
        // domain not specified
    }
};

Result: Cookie is set with domain .example.com (with leading dot), making it accessible to all subdomains.

Expected Behavior

There should be a straightforward way to set cookies for the current domain only (without the leading dot), so they are NOT shared with subdomains.

Current Workaround

The only way I found to achieve this is by setting domain: '' (empty string):

const config = {
    allowCookies: true,
    cookieAttributes: {
        domain: '',  // Empty string workaround
        path: '/',
        sameSite: 'Strict',
        secure: true
    }
};

Result: Cookie is set with domain example.com (without leading dot) ✅

Proposed Solution

cookieAttributes: {
    disableSubdomains: true
    path: '/',
    sameSite: 'Strict',
    secure: true
}

Use Case

Some applications need to isolate cookies between subdomains for security or functional reasons. For example:

• app.example.com should not share session cookies with admin.example.com
• Preventing potential subdomain cookie attacks
• Compliance with specific security policies

Additional Context

Thank you for considering this feature request!