WingNews logo WingNews
top | item 41772241

(no title)

_fool | 1 year ago

...Unless you're savvy. Thank goodness for the availability of https://publicsuffix.org/ (as long as you only use your main domain and don't need to share cookies with your own subdomains), and the includeSubDomains directive to HSTS! But - if you already set this up, you probably are savvy enough to avoid the problems created (or your provider is)

discuss

order

aaronmdjones|1 year ago

HSTS won't prevent this at all; the advertiser merely needs to also set up TLS by getting a certificate for that subdomain, which they can already do precisely because it goes to their web server -- not yours. This also lets them steal cookies marked secure (sent over HTTPS only).

Edit: A combination of DNS CAA with an account identifier restriction in the record would prevent this. Then the advertiser would complain, and any ads served would have to be over plaintext, which would cause browser warnings about mixed content and allow MITM injection of (more) malicious content.