Comment by Groxx
13 years ago
Which doesn't run arbitrary JS code, unlike the username.github.com pages, which means gist.github.com is incapable of setting such cookies.
Unless there's a way to 'run' gist files? I'm not aware of any, but I haven't tried particularly hard.
He means that if they set cookies to only apply to the root, then you will have to log in to gist.github.com and github.com separately. Taking access away from the un-trusted code also means taking it away from some trusted code.
Aaah, d'oh. Makes sense in retrospect :) thanks!