← Back to context Comment by steveklabnik 13 years ago That does not solve the security issues that they're looking to mitigate. 4 comments steveklabnik Reply hcarvalhoalves 13 years ago I see. I thought they could limit the cookies to the github.com root, but they already have stuff like gist.github.com. Groxx 13 years ago Which doesn't run arbitrary JS code, unlike the username.github.com pages, which means gist.github.com is incapable of setting such cookies.Unless there's a way to 'run' gist files? I'm not aware of any, but I haven't tried particularly hard. LukeShu 13 years ago He means that if they set cookies to only apply to the root, then you will have to log in to gist.github.com and github.com separately. Taking access away from the un-trusted code also means taking it away from some trusted code. 1 reply →
hcarvalhoalves 13 years ago I see. I thought they could limit the cookies to the github.com root, but they already have stuff like gist.github.com. Groxx 13 years ago Which doesn't run arbitrary JS code, unlike the username.github.com pages, which means gist.github.com is incapable of setting such cookies.Unless there's a way to 'run' gist files? I'm not aware of any, but I haven't tried particularly hard. LukeShu 13 years ago He means that if they set cookies to only apply to the root, then you will have to log in to gist.github.com and github.com separately. Taking access away from the un-trusted code also means taking it away from some trusted code. 1 reply →
Groxx 13 years ago Which doesn't run arbitrary JS code, unlike the username.github.com pages, which means gist.github.com is incapable of setting such cookies.Unless there's a way to 'run' gist files? I'm not aware of any, but I haven't tried particularly hard. LukeShu 13 years ago He means that if they set cookies to only apply to the root, then you will have to log in to gist.github.com and github.com separately. Taking access away from the un-trusted code also means taking it away from some trusted code. 1 reply →
LukeShu 13 years ago He means that if they set cookies to only apply to the root, then you will have to log in to gist.github.com and github.com separately. Taking access away from the un-trusted code also means taking it away from some trusted code. 1 reply →
I see. I thought they could limit the cookies to the github.com root, but they already have stuff like gist.github.com.
Which doesn't run arbitrary JS code, unlike the username.github.com pages, which means gist.github.com is incapable of setting such cookies.
Unless there's a way to 'run' gist files? I'm not aware of any, but I haven't tried particularly hard.
He means that if they set cookies to only apply to the root, then you will have to log in to gist.github.com and github.com separately. Taking access away from the un-trusted code also means taking it away from some trusted code.
1 reply →