Comment 1:

What kind of "validation" do you think of? Currently
`func (c *Cookie) String() string` does not validate anything
it just cleans up unsuitable (for a cookie header) characters
via sanitize{Value,Name}.
Is this issue about adding sanitizeDomain (and maybe
sanitizePath also) which replaces/dropps characters from
Domain (and Path) which do not conform to RFC 6265?
Or should `func (c *Cookie) String() string` be changed:
// String returns the serialization of the cookie for use in a Cookie
// header (if only Name and Value are set) or a Set-Cookie response
// header (if other fields are set).
// **NEW** It returns an empty string if a RFC 6265 conforming Set-Cookie
// response header cannot be constructed from c's fields. **NEW**
func (c *Cookie) String() string
But this would break Go 1 compatibility, or?

Comment 2:

See the updates in 
net/http: don't write out invalid cookie lines
https://code.google.com/p/go/source/detail?r=65920aec044a
This bug is about finishing that CL in the same way.
I deleted "sanitizeValue" because it was undefined and wrong, used by different callers
who needed different things,

Comment 3:

pkg net's dnsclient.go func isDomainName(s string) bool
is pretty lax: It allows labels to start with a digit
and allows underscores in labels.  Neither is permitted
by http://tools.ietf.org/html/rfc1034#section-3.5 which
is referenced for cookies in 
http://tools.ietf.org/html/rfc6265#section-4.1.1
Chrome actually allows cookies for domains like 3m.com
Is it okay to be lax for cookie domains too and allow
domains like www.3m.com and _xmpp-server._tcp.google.com?
as the domain-value of a cookie?  I'll assume yes and
will prepare a CL.

Comment 4:

This issue was closed by revision 4f86a96.

Status changed to Fixed.