Lately, I began diving into cookies, however so far as the area property involved I do not expertise it as too be that easy. I’ve learn this text:
It factors out the advice to maintain your cookies secure by internet hosting your web sites with a www-prefix, so
www.instance.com as an alternative of
instance.com, as within the latter case, IE explorer (or any browser?) can even ship the cookies to any (maybe malicious) subdomain of
instance.com when there’s an express area specified (with or with out main dot). However do not you personal all of the subdomains of a given area to procure? Why can someone else personal a subdomain below your mother or father area within the first place?
So it is strongly recommended to keep away from having untrusted domains below your area. She additionally says because of this GitHub pages is hosted below github.io, not github.com, for instance. I do not perceive why .io can be safer than .com?
I’ve learnt you can all the time set a cookie for a much less particular area, e.g.
dangerous.instance.com can set a cookie for
.instance.com however not the opposite approach round. What’s the ideology behind this from a safety perspective? Is that this not simply harmful habits, as a result of a sub area (which apparently could also be owned by another person?) then can set cookies for all different sub domains of
instance.com and the mother or father area itself. So a person from
malicious.instance.com will get granted additionally entry to
Why cannot you set a cookie for a particular sub-domain (e.g.
a.instance.com) from the mother or father area
instance.com? I suppose that (within the case of the chance another person owns a subdomain of your area) you might be then setting cookies for domains that aren’t below your management, which isn’t allowed, am I proper?
While you set a website worth of
.instance.com, the cookie might be despatched to all sub-domains. Does this have something to do with having the characteristic of a shared authentication/authorization mechanism that applies to all functions hosted below a number of subdomains (e.g.
admin.instance.com) however associated to the mother or father area/app? As a result of I might suppose it isn’t needed
Perhaps I am on the fallacious observe, however I do not fairly perceive it the WHY behind the specs.