[solox3]

Heads up for the creator: putting everything under ugliest.app allows pages to read the same cookies across different "apps". If anyone plans to use the platform for production (which you appear to welcome), nothing substantial can be done.

I forgot what made github.com switch to github.io. Something similar but totally separate.

[teleclimber]

> I forgot what made github.com switch to github.io. Something similar but totally separate.

Yep, here's the link that explains it all:

https://github.blog/2013-04-09-yummy-cookies-across-domains/

[DaiPlusPlus]

> I forgot what made github.com switch to github.io. Something similar but totally separate.

Same reason: to prevent user-generated/user-hosted content from being able to read GitHub.com cookies.

[kevincox]

Not quite, they couldn't read the cookies. But they could mess with the cookies on github.com somewhat.

The fully writeup is here: https://github.blog/2013-04-09-yummy-cookies-across-domains/

[maybevain]

There's also the added benefit of being able to list the github.io domain on the Public Suffix List [1], which means that no cookies can be set for the top level domain, only the *.github.io subdomains. This prevents the platform users from accidentally revealing their cookies to every other app under the top level domain.

EDIT: to ellaborate for the interested, the Public Suffix List is used by browser vendors to decide what part of the URL is considered the TLD for display and cookie security purposes (and I imagine others).

[1] https://publicsuffix.org/

[klohto]

Have I missed some major news about this attack? As far as I know, you're not able to read, just rewrite (or append?) the already existing cookies.

EDIT: The linked Github article states exactly that, is it out of date?

[codazoda]

The localStorage and indexeddb limits will also apply (10MB and 50MB on Chrome).