since subdomains to surge.sh can include arbitrary javascript, it's possible for evil.surge.sh to steal a cookie from baby.surge.sh, or to perform session fixation attacks, cross-site request forgeries, etc.
I recommend adding surge.sh to the Public Suffix List to avoid letting different subdomains attack other subdomains via the browser's same origin policy.
since subdomains to
surge.shcan include arbitrary javascript, it's possible forevil.surge.shto steal a cookie frombaby.surge.sh, or to perform session fixation attacks, cross-site request forgeries, etc.I recommend adding
surge.shto the Public Suffix List to avoid letting different subdomains attack other subdomains via the browser's same origin policy.