0

My site will have an extremely insecure subdomain, and a secure root domain. Say http://test.example.com and http://example.com, the root domain will have a login cookie. Wikipedia indicates they would not have same origin, hence the login cookie could not be read by the subdomain. However, I am hesitant to believe that seeing as logins on Wikipedia itself carry over regardless of subdomain.

On the same note, I would like to confirm in that scenario, if I were to use a sandboxed iframe displaying the subdomain in my root domain the subdomain would not have access to the login cookie.

Aidan
  • 413
  • 3
  • 22
  • 1
    I can't give a comprehensive answer to your question, but [note that](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Directives) cookies can use the `Domain` directive to indicate which domain they should be sent to, including subdomains. So your observation about Wikipedia logins does not contradict what you read about the Same Origin Policy. – Kevin Christopher Henry Sep 23 '19 at 02:27
  • Would there be other risks due to this https://stackoverflow.com/questions/3076414/ways-to-circumvent-the-same-origin-policy though? – Aidan Sep 23 '19 at 03:56

0 Answers0