Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

As someone who used to work on Facebook open source, that makes sense! After all, an insecure subdomain could lead to all sorts of problems on facebook.com. Phishing, stealing cookies, there's a lot of ways it could go wrong.

Whereas, if one engineer spins up some random static open source documentation website on AWS, it really can't go wrong in a way that causes trouble for the rest of the company.



My initial comment was sardonic but this is a good point.

My IT experiences elsewhere have left me a little jaded. :)


I wasn't aware of that, but it's intriguing! Eager to learn more about subdomains and vulnerabilities - any resources you'd recommend?


Read about the Same origin Policy and Content Security Policy. MDN is a canonical resource for this.


And you would learn that if you don't have wildcard cookies, which I generally wouldn't recommend, subdomains are isolated from each other. But with meta if the brand weren't tarnished, a new domain for subdomains like Google's withgoogle.com and web.dev would be a good place to add sites like this rather than subdomain.facebook.com




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: