MyBB Internal: One or more warnings occured. Please contact your administrator for assistance.
Cookieless domains and XSS issues?
Current time: 03-30-2020, 11:32 AM Hello There, Guest! (LoginRegister)

Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Cookieless domains and XSS issues?
04-23-2011, 12:56 AM
Post: #1
Cookieless domains and XSS issues?
Our site is getting dinged pretty hard on "cookieless" domains. For example:

Home page is http://www.domain.com
We use the following CDN domains:
js.domain.com (javascripts)
css.domain.com (css)
graphics.domain.com (images, media, graphics, etc)
images.domain.com (static images associated with our customers)
video.domain.com (video files served up for our pages)

All of the CDN domains are Akamai, with a dedicated server in our data center for origin, except for the images and video domains, which have Akamai NetStorage as origin.

We set a cookie on domain.com (not http://www.domain.com), so obviously all of our CDN domains are "cookied". We have to set this cookie domain-wide, since we have multiple hostnames under domain.com (such as ww1.domain.com, ww2.domain.com) which are used for our A/B testing, etc, etc.

We are looking to move to a "cookieless" domain for the stuff that doesn't require a cookie. Obviously we can get quick wins by setting up css.domaincdn.com, graphics.domaincdn.com, etc.

The one I am concerned about is the js.domaincdn.com - will we run into any XSS issues? Or will this only occur if the javascripts require access to the domain.com cookies?
Find all posts by this user
Quote this message in a reply
Post Reply 


Messages In This Thread
Cookieless domains and XSS issues? - mattstratton - 04-23-2011 12:56 AM

Forum Jump:


User(s) browsing this thread: 1 Guest(s)