|
|
|
|
|
|
by chrismorgan
2361 days ago
|
|
|
Using a subdomain will only protect host-only cookies (those lacking a domain=… parameter). Cookies that specify a domain deal in subdomains rather than origins, so blog.example.com will be able to see any domain=example.com cookies. This is why using a completely separate domain can be wise if you’re using a third party to host your blog. At Fastmail when we shifted our blog to Ghost(Pro), we moved the blog from blog.fastmail.com to fastmail.blog, so that they definitely can’t get any cookies we may happen to set on domain=fastmail.com (even though our login cookies are domain=www.fastmail.com and thus safe anyway; defence in depth, and all that; by contrast, our product Topicbox does store its cookies on domain=topicbox.com, so the protection of using topicbox.blog is real there). |
|
|