Menu
While on a page on subdomain.foo.com, I know it is possible to set a cookie in JavaScript with a domain=foo.com clause (or domain=.foo.com according to earlier specifications), and have that cookie apply to all subdomains.
When I open up the developer console in Chrome on a GitHub Pages page (say, yelp.github.io) and try this using a domain=github.io clause, the cookie doesn't get set (document.cookie yields the empty string). I only seem to be able to get the cookie to set if I omit the domain clause, or use domain=yelp.github.io.
I can understand why GitHub would want to restrict cookie scope this way for security reasons, but I'm not sure how this is actually working or what's behind the behavior I'm seeing. Is there something special about the github.io domain? Is there a security policy being applied I'm not aware of? Or am I just doing it wrong?
document.cookie = 'foo=1; domain=github.io'
711
GitHub uses cookies to provide and secure our websites, as well as to analyze the usage of our websites, in order to offer you a great user experience.
Cookies let you store user information in web pages.
On GitHub, navigate to your site's repository. Under your repository name, click Settings. In the "Code and automation" section of the sidebar, click Pages. Under "Custom domain", type your custom domain, then click Save.
GitHub Pages is available in public repositories with GitHub Free and GitHub Free for organizations, and in public and private repositories with GitHub Pro, GitHub Team, GitHub Enterprise Cloud, and GitHub Enterprise Server.
According to the relevant specification (RFC 6265), cookies are rejected for public suffixes if set from a subdomain:
If the user agent is configured to reject "public suffixes" and the domain-attribute is a public suffix: If the domain-attribute is identical to the canonicalized request-host: Let the domain-attribute be the empty string. Otherwise: Ignore the cookie entirely and abort these steps.
NOTE: A "public suffix" is a domain that is controlled by a public registry, such as "com", "co.uk", and "pvt.k12.wy.us". This step is essential for preventing attacker.com from disrupting the integrity of example.com by setting a cookie with a Domain attribute of "com". Unfortunately, the set of public suffixes (also known as "registry controlled domains") changes over time. If feasible, user agents SHOULD use an up-to-date public suffix list, such as the one maintained by the Mozilla project at http://publicsuffix.org/.
github.io is on the public suffix list.
58
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
