[anamexis]

That’s not novel. You could say the same thing for a GitHub Pages page, or a Code Sandbox, or an S3 static site, or really anything.

The only reason that would be a threat is if you implicitly trusted smolsite.zip, which would be an odd thing to do.

[pcthrowaway]

Github pages uses a unique domain per page to prevent sites from loading each others' cookies, localstorage, service workers, etc.

[ncruces]

The difference is that if GitHub is found distributing malware on GitHub pages, you can notify them, they verify it, take it down, and open a process to eventually ban the offender.

They expend enough effort in this as to ensure the vast majority of content on GitHub pages is not malware, and avoid getting blankedly flagged as such.

It's not clear if smolsite.zip can successfully set up a similar process, given that they'll serve just any zip that's in the URL, and they won't have the manpower to verify takedown requests.

[anamexis]

If your security model relies on arbitrary hosts on the internet proactively taking down malicious URLs, you're in for a bad time.

[ncruces]

My security model is not going to do smolsite.zip any good when quad9, 1.1.1.2, et al. decide to outright block the domain.

Also, cookies.