XSS security concerns from untrusted parent domains
There's lots of discussion about protecting content on example.com from user controlled content on subdomain.example.com (e.g. Github pages). What are the risks the other way around?
If my content is hosted at subdomain.example.com, what attacks am I exposed to from untrusted content hosted on example.com?
Some things I can think of:
- Parent domain can write cookies which will be visible on the child
- Parent domain can read any cookies that have been set for the parent domain, but not those on the subdomain (I think)
- Parent domain could enable HSTS, to force HTTPS on the subdomain.
- ...and more?
More specifically, for context: we host user's content on user domain like [user_id].usercontent.com, passing their requests/responses through a proxy we control. We're considering adding authentication for some requests, and hosting our authentication service at auth.[user_id].usercontent.com, so we can set auth cookies that will be visible in requests as they hit the proxy that hosts the user content. How could the user content attack these authentication pages?
