WebPagetest Forums
Cookieless domains and XSS issues? - Printable Version

+- WebPagetest Forums (https://www.webpagetest.org/forums)
+-- Forum: Web Performance (/forumdisplay.php?fid=3)
+--- Forum: Optimization Discussions (/forumdisplay.php?fid=5)
+--- Thread: Cookieless domains and XSS issues? (/showthread.php?tid=705)

Cookieless domains and XSS issues? - mattstratton - 04-23-2011 12:56 AM

Our site is getting dinged pretty hard on "cookieless" domains. For example:

Home page is http://www.domain.com
We use the following CDN domains:
js.domain.com (javascripts)
css.domain.com (css)
graphics.domain.com (images, media, graphics, etc)
images.domain.com (static images associated with our customers)
video.domain.com (video files served up for our pages)

All of the CDN domains are Akamai, with a dedicated server in our data center for origin, except for the images and video domains, which have Akamai NetStorage as origin.

We set a cookie on domain.com (not http://www.domain.com), so obviously all of our CDN domains are "cookied". We have to set this cookie domain-wide, since we have multiple hostnames under domain.com (such as ww1.domain.com, ww2.domain.com) which are used for our A/B testing, etc, etc.

We are looking to move to a "cookieless" domain for the stuff that doesn't require a cookie. Obviously we can get quick wins by setting up css.domaincdn.com, graphics.domaincdn.com, etc.

The one I am concerned about is the js.domaincdn.com - will we run into any XSS issues? Or will this only occur if the javascripts require access to the domain.com cookies?

RE: Cookieless domains and XSS issues? - sajal - 04-25-2011 05:25 AM

There should not be any cross-domain issues in moving the js to another domain.

AFAIK for cross-domain stuff, the browser is only concerned about the hostname of the page that the javascript is being run on, but not the hostname of the actual javascript files.... -- not entirely sure