GitHub recently completed a migration of all GitHub Pages to the github.io domain to address vulnerabilities related to phishing and cross-domain cookie attacks. The technical blog post explains the security risks associated with hosting user content on subdomains, such as the potential for "cookie tossing" attacks, where cookies set in subdomains could be sent alongside legitimate cookies to the main domain, causing confusion and potential security issues. The post details various attack scenarios, including cookie tossing using the JavaScript API, cookie path manipulations, URL-encoded cookie names, and cookie overflow tactics that exploit browser limits on cookie numbers. It also describes GitHub's countermeasures, such as implementing Rack middleware to filter out duplicate cookies and using brute-force methods to clear malicious cookies. Despite these efforts, the blog emphasizes the limitations of server-side defenses against such attacks, particularly given the varying behaviors of web browsers like Chrome and Firefox. The migration to a separate domain was deemed necessary to mitigate these security risks effectively, highlighting the challenges of managing cookies and the ongoing evolution of browser security practices.