|
|
|
|
|
|
by halter73
2609 days ago
|
|
|
Kudos for quickly adding an anti-csrf token to logout, but I agree with the grandparent that hosting arbitrary user content on the same TLD as the management interface is still problematic security-wise. See github.com vs github.io[1], amazon.com vs. elasticbeanstalk.com, azure.com vs azurewebsites.net, etc... Every major company I know of that hosts arbitrary user content dedicates a TLD to it that's not shared by the management APIs. [1] https://github.blog/2013-04-05-new-github-pages-domain-githu... |
|
|