These are not vulnerabilities in Rack (necessarily), but in the way the cookie spec has been drafted and the way Chrome decides to implement it. There's nothing that can be "fixed" in Rack: the only definitive fix is a domain migration.