[Gasparila]

One big reason to me: cookie security

Currently all buckets share a domain and therefore share cookies. I've seen attacks (search for cookie bomb + fallback manifest) that leverage shared cookies to allow an attacker to exfiltrate data from other buckets

[notfed]

Cookies support URL path restrictions.

[nyuszika7h]

That doesn't prevent unauthorized reading of the cookies. The only way to properly prevent it is using a different domain/subdomain.

https://developer.mozilla.org/en-US/docs/Web/API/document/co...