[chocolatkey]

I think it's due to cookies. That's why there's e.g. googleusercontent.com, ggpht.com etc. That way if users find a way to upload malicious content (or e.g. blog is compromised) you can't get users' Google cookies

[capableweb]

They have their own tld, .goog, they could surely have put the website under their instead to at least gain some trust, instead of the current abomination of a domain.

Or, you know, just use subdomains which has existed since forever...

[lolinder]

Subdomains don't solve the problem, because Google very much intentionally puts the user session cookie on the root of .google.com, thereby sharing with all subdomains.

[cma]

The tld he is talking about is different though right?

[lolinder]

Yes, but I read that as suggesting they could use their own tld OR use subdomains. If you open a new domain on that tld, you don't need subdomains to protect Google account cookies.

[yrro]

If only there was some sort of system of domain names that could be used to indicate the demarcation points...

[lolinder]

Google's cookie situation is complicated, because they have one login that people expect to work across mail.google.com, docs.google.com, drive.google.com, etc. Without going to a ton of server-side gymnastics, the most seamless way to connect all those properties is to set the session ID cookie on .google.com, allowing access to all subdomains recursively.

There's no way to exclude certain subdomains, so once you've decided to share a cookie between subdomains you have to use a new domain if you want to exclude a site from sharing.

[yrro]

> There's no way to exclude certain subdomains

I think Google should fix this. The alternative is endless domain sprawl, for all time.

[pmoriarty]

I'm kind of surprised Google would even bother with cookies these days, as there are so many other ways to track users.

[sofixa]

It's not for tracking, it's for sessions (you know, one of the original purposes of cookies).