Just saw
https://tools.ietf.org/html/draft-west-first-party-cookies-01 which proposes
This document updates RFC6265 by defining a "First-Party-Only"
attribute which allows servers to assert that a cookie ought to be
sent only in a "first-party" context. This assertion allows user
agents to mitigate the risk of cross-site request forgery attacks,
and other related paths to cross-origin information leakage.
It looks really good, and it seems that Chrome 50 is going to support it https://www.chromestatus.com/features/4672634709082112
The current solution seems to be inspired by the SameDomain Cookie attribute as described at http://people.mozilla.org/~mgoodwin/SameDomain/samedomain-latest.txt
I actually prefer the SameDomain name to First-Party-Cookies :)
