[1mbsite]

For reference @hopscotch appears to be referring to this post: https://forum.1mb.site/?t=1556326142930

I think the interaction in this forum thread says a lot about my focus on security. An issue was reported and I jumped on it immediately. I’m not going to sit here and claim to be perfect, but I am going to tell you that I work really hard to make sure I do stuff right and fix my mistakes ASAP. I have had white hat hackers review my API by the way and have patched reported security vulnerabilities.

[halter73]

Kudos for quickly adding an anti-csrf token to logout, but I agree with the grandparent that hosting arbitrary user content on the same TLD as the management interface is still problematic security-wise.

See github.com vs github.io[1], amazon.com vs. elasticbeanstalk.com, azure.com vs azurewebsites.net, etc... Every major company I know of that hosts arbitrary user content dedicates a TLD to it that's not shared by the management APIs.

[1] https://github.blog/2013-04-05-new-github-pages-domain-githu...

[bugmen0t]

You likely want a separate domain indeed. See https://security.googleblog.com/2012/08/content-hosting-for-...

[1mbsite]

Sites like Tumblr do it and are fine, and they allow custom HTML and JS also. Cookies are HTTP only and inaccessible with JavaScript. And framing is blocked.