From the spec:

If the first character of the attribute-value string is %x2E ("."):
Let cookie-domain be the attribute-value without the leading %x2E (".") character.

http://tools.ietf.org/html/rfc6265#section-5.2.3

'.foo.com'.match(/^[a-z\d\-]{1,63}(?:\.[a-z\d\-]{1,63})*$/) === null but is a valid value to send in a Set-Cookie header.