[yourcelf]

Wouldn't a solution be for the server to set its session cookie for every subdomain, as HTTP-only? For example, set "_gh_sess" for every requesting domain, whether www.github.com, github.com, something.github.com; and ".github.com" as well. If you hit them all, you prevent js from shadowing them.

[homakov]

no, it's already httponly. There is NO WAY to secure your subdomains from such vuln.

[yourcelf]

Github only sets their cookie for "github.com". What I'm suggesting is that they set multiple http-only cookies: one for "github.com", one for ".github.com", another for every subdomain you access -- "pages.github.com", etc. If there's already an http-only _gh_sess cookie for every subdomain I can put scripts on, I won't be able to shadow it with my own _gh_sess cookie.

[homakov]

You can shadow other httponly cookies too. Any cookies.

[yourcelf]

Got it, thanks. More detail at [1] mentioned by gingerline above: "the secure flag does not prevent a cookie from being overwritten. In fact, a HTTP site can overwrite a cookie with a secure flag, as long as the domain names are related appropriately. The secure flag provides confidentiality protection but not integrity protection."

[1] http://security.stackexchange.com/questions/12412/what-cooki...