网站的Cookie具备跨站原则,相同根域名下的Cookie是可以共享获取的。
还有其他的一些涉及跨站的js API也具备此项能力。
在同一个域名下,站点之间默认是无法做到隔离的。
按照国际规范,当一个域名被用于开放服务的时候,应当将这个域名加入公认的“公共后缀列表”。
国际主流浏览器均承认此列表,加入列表后的域名,下面的子站点之间将不再共享信息,杜绝了通过技术手段跨站窃取其他站点信息的可能性。
而经过查询:https://publicsuffix.org/list/public_suffix_list.dat
gitee的域名(gitee.io)并未申请加入此列表,因此存在跨站窃取信息的风险。
而国际主流的类似服务,如github.io,vercel.dev,pages.dev 等均具备此项加固措施。
因此,建议向国际组织提交gitee.io这个域名(方法:https://publicsuffix.org/submit/ ),避免可能存在的安全风险。
官方介绍:https://publicsuffix.org/learn/
mozilla: https://wiki.mozilla.org/Public_Suffix_List
chrome: https://web.dev/same-site-same-origin/
Each PSL PR needs to have a description, rationale, indication of DNS validation and syntax checking, as well as a number of acknowledgements from the submitter. This template must be included with each PR, and the submitting party MUST provide responses to all of the elements in order to be considered.
Description of Organization
Robust Reason for PSL Inclusion
DNS verification via dig
Run Syntax Checker (make test)
Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registration, and we shall keep the _PSL txt record in place in the respective zone(s) in the affected section
Submitter affirms the following:
For Private section requests that are submitting entries for domains that match their organization website's primary domain, please understand that this can have impacts that may not match the desired outcome and take a long time to rollback, if at all.
To ensure that requested changes are entirely intentional, make sure that you read the affectation and propagation expectations, that you understand them, and confirm this understanding.
PR Rollbacks have lower priority, and the volunteers are unable to control when or if browsers or other parties using the PSL will refresh or update.
(Link: about propagation/expectations)
We provide a code hosting and collaborative development platform for developers/enterprises, with more than 10 million developers, more than 25 million hosting projects, bringing together almost all original open source projects in China, and launched the Enterprise Edition in 2016, providing enterprise-level code hosting services, becoming a leading SaaS service provider in the development field.
Organization Website:
https://gitee.com
Gitee.io is a domain name used by Gitee, a Chinese-based provider of Git-based collaboration and code hosting services, to provide a service similar to GitHub Pages.Gitee.io allows users to create websites and web pages using HTML, CSS, and JavaScript, and host them on the Gitee platform.As the use of gitee.io domain names becomes more widespread, there is a potential risk of malicious actors using similar domain names to impersonate Gitee or its services.To mitigate this risk and protect users, we recommend adding gitee.io to the Public Suffix List.This will ensure that only Gitee and authorized entities can create subdomains under gitee.io, providing an additional layer of security for users and businesses using Gitee's services.
Number of users this request is being made to serve:
More than 10 million
dig +short TXT _psl.gitee.io
"https://github.com/publicsuffix/list/pull/1728"
Results of Syntax Checker (make test
)
============================================================================
Testsuite summary for libpsl 0.21.2
============================================================================
# TOTAL: 3
# PASS: 3
# SKIP: 0
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================
Making check in tests
CC test-is-public.o
CC test-is-public-all.o
CC test-is-cookie-domain-acceptable.o
CC test-is-public-builtin.o
CC test-registrable-domain.o
CCLD test-is-cookie-domain-acceptable
CCLD test-is-public-builtin
CCLD test-is-public
CCLD test-is-public-all
CCLD test-registrable-domain
PASS: test-is-public-builtin
PASS: test-is-public
PASS: test-is-cookie-domain-acceptable
PASS: test-registrable-domain
PASS: test-is-public-all
============================================================================
Testsuite summary for libpsl 0.21.2
============================================================================
# TOTAL: 5
# PASS: 5
# SKIP: 0
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================
Making check in msvc
=========
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
登录 后才可以发表评论