since subdomains to surge.sh can include arbitrary javascript, it's possible for evil.surge.sh to steal a cookie from baby.surge.sh, or to perform session fixation attacks, cross-site request forgeries, etc.
I recommend adding surge.sh to the Public Suffix List to avoid letting different subdomains attack other subdomains via the browser's same origin policy.
since subdomains to
surge.sh
can include arbitrary javascript, it's possible forevil.surge.sh
to steal a cookie frombaby.surge.sh
, or to perform session fixation attacks, cross-site request forgeries, etc.I recommend adding
surge.sh
to the Public Suffix List to avoid letting different subdomains attack other subdomains via the browser's same origin policy.