[bugmen0t]

You likely want a separate domain indeed. See https://security.googleblog.com/2012/08/content-hosting-for-...

[1mbsite]

Sites like Tumblr do it and are fine, and they allow custom HTML and JS also. Cookies are HTTP only and inaccessible with JavaScript. And framing is blocked.