Can you also test that the cookie in the jar is what you expect it to be?

I've written such a test, and it looks like it saves the cookie under ".localhost". Without "domain" attribute present, it saves them under "localhost.local". I'm not so familiar with cookie processing as well, so I'm not really sure if "domain" attribute should affect this in such a way. I've commited the tests in cec78ed.

Yes, that's a bit odd. It might be fine though as long as it behaves consistently. The public interface doesn't expose the domain names as far as I can see.

Previously this checked a domain that came from the cookie, and now it checks the hostname from the request. Can you explain why this is changed and why the change is safe?

This check considers localhost to be a non-local domain. It also doesn't have any embedded_dots, so it doesn't process it, which really shouldn't happen. My change should be safe because for local domains effective request hostname would end with ".local" (ERHN will end with .local if it ls clearly specified as part of the domain (foo.local), or if the domain consists of only one level (localhost has EHRN of localhost.local)).

Thanks! I'm still worried about cases where the domain and the ERHN don't match (e.g. a malicious website evil.com sets a cookie for localhost). I see there are some checks for that and a test in test_wrong_domain, but it's not very thorough. Could you add more tests for similar cases (request to non-local domain setting a local cookie, and vice versa)?

I've added some tests for those cases in a31fa40. Looks like everything is fine.