Comment by hcarvalhoalves
13 years ago
I see. I thought they could limit the cookies to the github.com root, but they already have stuff like gist.github.com.
13 years ago
I see. I thought they could limit the cookies to the github.com root, but they already have stuff like gist.github.com.
Which doesn't run arbitrary JS code, unlike the username.github.com pages, which means gist.github.com is incapable of setting such cookies.
Unless there's a way to 'run' gist files? I'm not aware of any, but I haven't tried particularly hard.
He means that if they set cookies to only apply to the root, then you will have to log in to gist.github.com and github.com separately. Taking access away from the un-trusted code also means taking it away from some trusted code.
Aaah, d'oh. Makes sense in retrospect :) thanks!