Hacker News new | past | comments | ask | show | jobs | submit login

Please elaborate on the part about UCG from a separate domain. Why is this?



If someone uses this trick to upload a PNG like this to your server, and that person is tricked into running it as HTML, then that HTML has access to your cookies and can make make AJAX requests (circumvent same origin protection).

If user content is on a separate domain, they can't do that.

Also fishing is a lot easier when you're on the real domain...


Sorry, didn't see this comment earlier. GitHub's blog post on why they did this gives some good insight.

https://github.com/blog/1452-new-github-pages-domain-github-...




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: