[gwillen]

Because being under google.com would mean the javascript security model allows it to be the "same domain" as google.com, which has cross-site scripting implications: there are applications for which google serves user-supplied javascript, and if one of those was accessible under the google.com domain, it would allow an attack.

[saurik]

Are you willing to describe the threat more? (I am legitimately curious, run a bunch of websites, use CDNs, may at some point have similar constraints involving also needing to host user content, and both respect and acknowledge the value of getting handed down understanding and explanations from people who have been doing things longer. ;P)

"a.google.com" and "b.google.com" are not "same origin", so cross-site scripting should fail. You can, however, have the two domains opt in to communicating with each other by having them both set their document.domain to "google.com"; does Google normally set document.domain on their pages, thereby allowing injected iframes to take advantage of this?

(I had thought the most common reason for having separate top-level domain names were due to performance and security implications involving cookies, which sometimes are scoped at the level of a domain name rather than at the level of a subdomain in order to allow sharing between related properties, such as plus.google.com and www.google.com.)

[gwillen]

I am not directly experienced with the threat involved. I know it is crossdomain-related; if you tell me it's cookies rather than JS, I'll believe you.

I have no idea whether Google normally sets document.domain, but I could certainly imagine it doing so; I feel like the "google.com" domain is one that any page under google.com is likely to believe it can trust, whether or not that trust is expressed programmatically. Certainly serving untrusted js anywhere under the google.com umbrella is likely to violate _someone_'s assumptions somewhere. I do not actually know it to be exploitable.

[Someone]

Why, then, did we get plus.google.com and not google+.com? (and aside: I find those (google.com) suffixes on HN that turn out to be links on plus.google.com confusing. For google.com URLs, I expect either search results or pages that represent google's position)

[qjz]

Now I understand the reason for the existence of those annoying special-purpose CDN domains that I'm always forced to allow in RequestPolicy. Thanks for the explanation!

[Tobu]

Another reason is: because these cdn domains aren't the domain people navigate to, they don't get cookies from the domain that includes them. Cookies bloat requests for the domain they are assigned to; sending them only once per page is faster.

[gbhn]

As I recall, for Google Video Search, we used domains like "1.vgc1.com" "2.vgc2.com" etc for cookieless hosting. A short domain name (as opposed to 'cookieless.googleserving.googlevideo.com' or some such) saves bytes in the HTML, and cookieless domains save bytes in requests, as well as providing better cache hit rates and such. Multiplexing domains lets the browser initiate several simultaneous requests for scripts, images, css, etc. (I think this is less of a problem these days, though.)

Some of these problems are addressed by modern browsers and other techniques, but getting good performance out of the median web browser remains a big challenge.

[enneff]

Unnecessary cookies can also defeat caching in some instances.

[anigbrowl]

Thanks for giving a meaningful answer instead of 'because that's how we do it'.

[gwillen]

No problem. To be clear, I don't work for Google; I quit earlier this year. As for how that relates to my degree of helpfulness, take that any way you like. ;-)

[enneff]

FWIW I would have responded the same way (the cited page at google.com calls out cross-site scripting attacks specifically), but you beat me to it. :-)

[sigvef]

Aren't subdomains considered separate domains for the same-origin policy?