Merge branch 'gitlab-pages-cookie-security' into 'master'

Add Security section to GitLab Pages documentation

Closes #26913

See merge request gitlab-org/gitlab!42913
parents f8db8d2d 0a687851
...@@ -124,3 +124,24 @@ If you are running a self-managed instance of GitLab (GitLab Community Edition a ...@@ -124,3 +124,24 @@ If you are running a self-managed instance of GitLab (GitLab Community Edition a
[follow the administration steps](../../../administration/pages/index.md) to configure Pages. [follow the administration steps](../../../administration/pages/index.md) to configure Pages.
<i class="fa fa-youtube-play youtube" aria-hidden="true"></i> Watch a [video tutorial](https://www.youtube.com/watch?v=dD8c7WNcc6s) about how to get started with GitLab Pages administration. <i class="fa fa-youtube-play youtube" aria-hidden="true"></i> Watch a [video tutorial](https://www.youtube.com/watch?v=dD8c7WNcc6s) about how to get started with GitLab Pages administration.
## Security for GitLab Pages
If your username is `foo`, your GitLab Pages website is located at `foo.gitlab.io`.
GitLab allows usernames to contain a `.`, so a user named `bar.foo` could create
a GitLab Pages website `bar.foo.gitlab.io` that effectively is a subdomain of your
`foo.gitlab.io` website. Be careful if you use JavaScript to set cookies for your website.
The safe way to manually set cookies with JavaScript is to not specify the `domain` at all:
```javascript
// Safe: This cookie is only visible to foo.gitlab.io
document.cookie = "key=value";
// Unsafe: This cookie is visible to foo.gitlab.io and its subdomains,
// regardless of the presence of the leading dot.
document.cookie = "key=value;domain=.foo.gitlab.io";
document.cookie = "key=value;domain=foo.gitlab.io";
```
This issue doesn't affect users with a custom domain, or users who don't set any
cookies manually with JavaScript.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment