| ▲ | michaelt 2 days ago | ||||||||||||||||
The other reason is: If a user figures out a way to upload javascript and have it work, you don't want them to steal other users' login cookies. This is why your gmail attachments should show up on googleusercontent.com instead of google.com Many years ago, some naive websites would let users upload images, but wouldn't validate their content; and some browsers would ignore file content type headers if they had a better guess. So an attacker could rename a .html to a .jpg, upload it as your user profile image, then direct people to www.example.com/avatars/eviluser.jpg and they'd get a HTML page and run its javascript. That's why, to this day, you sometimes see websites sending the header "X-Content-Type-Options: nosniff" which tells Internet Explorer 8 not to guess the content type. | |||||||||||||||||
| ▲ | aaronmdjones 2 days ago | parent | next [-] | ||||||||||||||||
> The other reason is: If a user figures out a way to upload javascript and have it work, you don't want them to steal other users' login cookies. This was solved a long time ago by marking such cookies as "HTTP only", preventing client-side scripts from reading their values. Google does mark their account login cookies as both "Secure" (sent only over HTTPS) and "HttpOnly" (not exposed to client-side scripting). You can see this in the server response headers in the browser dev tools' network tab. Even a piece of first-party JavaScript loaded directly from google.com -- even with SRI -- cannot read these cookies for google.com. | |||||||||||||||||
| |||||||||||||||||
| ▲ | EE84M3i 2 days ago | parent | prev [-] | ||||||||||||||||
SVGs are also images that can contain scripts if not validated. It's also relevant that github.io is on the public suffic list, which impacts a bunch of downstream things and isolates the subdomains from each other. | |||||||||||||||||
| |||||||||||||||||