MyBB Internal: One or more warnings occured. Please contact your administrator for assistance.
WebPagetest Forums - Cookieless domains and XSS issues?

WebPagetest Forums

Full Version: Cookieless domains and XSS issues?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Our site is getting dinged pretty hard on "cookieless" domains. For example:

Home page is http://www.domain.com
We use the following CDN domains:
js.domain.com (javascripts)
css.domain.com (css)
graphics.domain.com (images, media, graphics, etc)
images.domain.com (static images associated with our customers)
video.domain.com (video files served up for our pages)

All of the CDN domains are Akamai, with a dedicated server in our data center for origin, except for the images and video domains, which have Akamai NetStorage as origin.

We set a cookie on domain.com (not http://www.domain.com), so obviously all of our CDN domains are "cookied". We have to set this cookie domain-wide, since we have multiple hostnames under domain.com (such as ww1.domain.com, ww2.domain.com) which are used for our A/B testing, etc, etc.

We are looking to move to a "cookieless" domain for the stuff that doesn't require a cookie. Obviously we can get quick wins by setting up css.domaincdn.com, graphics.domaincdn.com, etc.

The one I am concerned about is the js.domaincdn.com - will we run into any XSS issues? Or will this only occur if the javascripts require access to the domain.com cookies?
There should not be any cross-domain issues in moving the js to another domain.

AFAIK for cross-domain stuff, the browser is only concerned about the hostname of the page that the javascript is being run on, but not the hostname of the actual javascript files.... -- not entirely sure
Reference URL's