Setting a cookie on .github.io domain in JavaScript

Question

While on a page on subdomain.foo.com, I know it is possible to set a cookie in JavaScript with a domain=foo.com clause (or domain=.foo.com according to earlier specifications), and have that cookie apply to all subdomains.

When I open up the developer console in Chrome on a GitHub Pages page (say, yelp.github.io) and try this using a domain=github.io clause, the cookie doesn't get set (document.cookie yields the empty string). I only seem to be able to get the cookie to set if I omit the domain clause, or use domain=yelp.github.io.

I can understand why GitHub would want to restrict cookie scope this way for security reasons, but I'm not sure how this is actually working or what's behind the behavior I'm seeing. Is there something special about the github.io domain? Is there a security policy being applied I'm not aware of? Or am I just doing it wrong?

document.cookie = 'foo=1; domain=github.io'

Answer 1

According to the relevant specification (RFC 6265), cookies are rejected for public suffixes if set from a subdomain:

If the user agent is configured to reject "public suffixes" and the domain-attribute is a public suffix:
    If the domain-attribute is identical to the canonicalized request-host:
        Let the domain-attribute be the empty string.
    Otherwise:
        Ignore the cookie entirely and abort these steps.

NOTE: A "public suffix" is a domain that is controlled by a public registry, such as "com", "co.uk", and "pvt.k12.wy.us". This step is essential for preventing attacker.com from disrupting the integrity of example.com by setting a cookie with a Domain attribute of "com". Unfortunately, the set of public suffixes (also known as "registry controlled domains") changes over time. If feasible, user agents SHOULD use an up-to-date public suffix list, such as the one maintained by the Mozilla project at http://publicsuffix.org/.

---

github.io is on the public suffix list.