Configure Firefox so cookie management is more granular than just first domain below TLD

TL;DR folks: The actual question is bolded in the final paragraph; the rest of this is explanation so people don't assume I have an XY problem.

I'm responsible for maintaining the Firefox installation on my organization's intranet. Almost all of the servers within this intranet use the same root domain, e.g. myorg.com, but logically, it's a whole internal internet of independently maintained servers, where the various subdomains are unrelated to one another (hr.myorg.com is maintained entirely independently from payroll.myorg.com, and gitlab.myorg.com is independent of both).

The problem is, some of the less well-written sites fairly regularly get into a bad state with regard to session login cookies that makes the site useless (it says you're signed out, but you can't sign in again; login is handled with PKI certificates in any event, so you shouldn't need to sign in manually, but the PKI authentication was hacked on to an existing product, badly, so it doesn't work in the bad state), where the only solution available to the individual user is to clear the cookies for that site and reload (triggering a new PKI login and everything works). The problem is, at least as of Firefox 91 ESR (I can't recall if Firefox 78 ESR or earlier had this problem; I don't think so, as I remember clearing cookies per sub-domain), cookie clearing appears to operate at the level of the first level subdomain, so if I want to clear cookies for badcookies.myorg.com, the cookie clearing dialog (both in the URL bar's Site Information→Clear cookies and site data… dropdown and in Edit→Settings→Privacy & Security→Cookies and Site Data→Manage Data) only offers me the option to clear them for myorg.com (meaning I'd lose cookies for the 99% of websites that don't have problems just to fix the one that does; most of our sites don't use cookies much, but the ones that do lose all per-user configuration if you clear them, which can be a pain to restore).

The only workaround that selectively deletes cookies for a specific subdomain is to go to Edit→Settings→Privacy & Security→Cookies and Site Data→Manage Exceptions and add an exception for https://badcookies.myorg.com to make it Allow for Session. When the problem occurs, tell users to restart Firefox, and the bad cookies are gone after the restart. This is obviously not a great solution; I know how to set up the Allow for Session behavior by default (via policies.json's Cookies policy), but forcing a browser restart is suboptimal.

My suspicion is that ultimately, the browser chooses how granularly to manage cookies based on Mozilla's public suffix list (so if myorg.com were on that list, my problem would be solved). But given myorg.com is not on the public internet at all (and if it were, it would be a single coherent presence, not the dueling mass of separate services on the intranet), I'd prefer not to try to get it added to that list, only to wait a year before they cut the next ESR that would use the updated list and pollute it with data that no one on the regular Internet would ever use.

So all that said, my question is: Is there any way for an administrator to globally configure Firefox (on Linux if it matters) such that cookies set by the various subdomains of a given domain can be manually cleared independently of one another? If it's not possible via global configuration, is there a per-user setting I can suggest to people that they can set once and benefit from forever? Ideally the solution would not require a third party extension (importing stuff to the intranet is a pain, and the IT security folks don't like doing it if they can avoid it), but if that's the only option, I'll consider it (importing once and using policy to install it for everyone is better than "bad site remains broken with awful workaround until developers of bad site (themselves clearly not great developers) fix it").


You can already do this without configuration. While on the website, open the "Developer Tools" panel with F12, go to "Storage" → "Cookies", then select and delete whichever cookies are causing the problem.

(This also exists in Chrome and derivatives, except the same tab is titled "Application" instead of "Storage".)

There are tons of "cookie editor" extensions which can do the same, possibly in a more convenient interface.

If you know which specific cookies are causing the problem, and if they don't have the "HttpOnly" flag (meaning they're settable via JavaScript), it should be possible to make a bookmarklet that, when clicked, unsets those cookies.