|
| ▲ | dcrazy 3 days ago | parent | next [-] |
| It’s best security practice to host user-generated content on a separate domain to opt into browsers’ cross-domain security policies. Hence ghcr.io, githubusercontent.com, fbimg.com, etc. https://www.reddit.com/r/webdev/comments/lg9xnm/why_do_some_... |
| |
| ▲ | usr1106 3 days ago | parent [-] | | Not a web programmer, so know cross-domain only for hearsay :( It does not seem to hinder e.g. Google using google.com, youtube.com, gmail.com, and several (many?) others to collect your data. Do you say security and privacy work differently here? | | |
| ▲ | missingcolours 3 days ago | parent [-] | | In those cases, the company controls all of the code running on those sites, so it's desirable for them to share data and cookies in particular. (e.g. any google.com site can read your login cookie) In the case of user data domains, intentionally in the design of the service or via a security hole, users may be able to execute code and read cookies (e.g. in JavaScript on a page hosted on githubusercontent.com) and that's undesirable. | | |
| ▲ | usr1106 3 days ago | parent [-] | | Sure, I see why as a company you don't want user data in your domain. But if the different domain name gives good protection / isolation, why does Google still use completely different domains for different services with content controlled by them. I cannot believe they are interested in protecting users from data collection. | | |
| ▲ | plorkyeran 3 days ago | parent [-] | | YouTube was an acquisition that they didn’t rebrand. Google Video was on google.com. gmail.com redirects to mail.google.com, and only email addresses use the gmail domain to avoid appearing to be google employee emails. |
|
|
|
|
|
| ▲ | JdeBP 3 days ago | parent | prev | next [-] |
| Interestingly, the GitHub doco says outright that it superseded docker.pkg.github.com. ; so it was a conscious choice to go with this domain naming scheme instead of that one. * https://docs.github.com/en/packages/working-with-a-github-pa... |
|
| ▲ | cyral 3 days ago | parent | prev | next [-] |
| I've noticed this too. Why does amazon have aboutamazon.com and Google have developers.googleblog.com? They literally have their own .google TLD but still choose this weird domain. Same with local governments. They love something really random like <countyname>proptaxpayment.org instead of treasurer.<countyname>.gov. It's exactly the kind of domain you are told to watch out for, but actually legit. |
| |
| ▲ | missingcolours 3 days ago | parent [-] | | A common scenario I've seen in the case of local governments is that a department (e.g. the Assessing Department) contracts with a vendor to run the website and has no idea how DNS works, and the vendor defaults to registering new domains for their clients since that's the easiest when dealing with non-technical clients. Texas alone for example has 254 countries, the vast majority of which are very small and have effectively no full time IT department, so when these vendors are engaging new clients, low IT expertise is the norm by volume. The local government itself may have an IT department, but they may not know how to create a subdomain, or even be aware this contract is being made and the site is being set up until after it's announced to the public. | | |
| ▲ | JdeBP 3 days ago | parent [-] | | Now you too are hearing a voice in your head, as I did, in the classic drawl, saying "Counties, kid. Texas ain't that big.". (-: |
|
|
|
| ▲ | zx8080 3 days ago | parent | prev | next [-] |
| Probably, it's cool, and honored inside an org to operate a separate domain service vs go ask for a permission for a subdomain to another team. |
|
| ▲ | wink 3 days ago | parent | prev | next [-] |
| If you are very old[tm] you might remember that github pages were hosted on USER.github.com and they moved to USER.github.io in 2013, https://github.blog/news-insights/product-news/new-github-pa... JFTR, I also think they could at least have used a couple of pronouncable domains, or put stuff under a .github.io domain, or at least make it githubrepo.com or something not acronym-y |
|
| ▲ | rconti 3 days ago | parent | prev [-] |
| insecurity through obscurity |
