Menu
An increasing number of web applications (most notably 37Signals' Basecamp) assign a subdomain to every user/account. I was wondering what the pros and cons are of such an approach. Is there a particular reason for doing this or is this merely a cosmetic feature? Does this, for example, allow for better/easier scalability and improved security?
955
I think it may be related to the Same Origin Policy. If two users' member pages are on different subdomains, browsers will prevent scripts from one subdomain from accessing documents in another subdomain. So if Mallory registers a site (mallory.example.org) and puts a malicious script on it, that script won't be able to modify the DOM of Alice's site (alice.example.org). If they were using paths instead (example.org/mallory and example.org/alice), the SOP wouldn't work, and Mallory's script could do all sorts of bad things on Alice's page, like fake a login screen and post the passwords back to Mallory.
This SOP protection even works when both subdomains resolve to the same IP - as long as the host part of the URL is different, modern browsers will block cross-domain scripting attempts (and a few other potentially dangerous things).
144
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
