Disable forwarding from <orga>.github.io/<repo> to foo-bar.pages.github.io/

HI,

We have an internal site published with github pages.
We also found here, that there is a very nice clean pattern for the github pages to be used.

The problem I am facing is, that when I try to access the github pages using the nice pattern of myorga.github.io/myrepo I get forwarded to the generated github pages path.

I would expect it would stay at that page with the nice pattern.

Is there a setting I am missing?

1 Like

Hi there @huehnerlady! We experimented with a few different ways to have a nicer pattern for the default subdomain of private pages sites, but ultimately decided that the generated name was the only way to ensure the default URL was secure. Due to the Same-Origin policy, if the page was served from the path like it is for public pages sites, the content on the site would be at risk of XSS style attacks, and is therefore not supported for internal/private pages.

The pattern where myorga.github.io/myrepo redirects to the authenticated (internal) page is intended to serve a similar use case to a URL shortener; meaning the easier to remember URL ultimately is responsible for looking up the domain name of the internal page and redirecting users so that the content is served securely from the site’s unique origin.

The other option for a cleaner domain is to add a custom domain to the internal site. Since the custom domain is a unique origin, it’s more secure than using path-based routing, and allows you full control of the URL of the page.

Hope that helps explain what’s going on!

2 Likes

I echo @tcbyrd comments.

One word of warning with using CNAME's on highly sensitive properties (domains). Audit how apps sign their cookies first. if they are signed at the apex then you need to change that first.

2 Likes

@tcbyrd sorry for the late response and many thanks for the explanation.
I thought the private site is secured by having to log into the account?

Is there a plan to change the behaviour of the forwarding in the future?

It is, but this is done by setting an authorization cookie in the user’s browser. While only the user with that cookie can access the site, if the site was on the shared origin of <org>.github.io, other (public or private) pages could publish content on this same origin that would execute in that user’s session. This means anyone in the org would have the ability to publish Javascript that could access paths they would otherwise not have access to. We avoid this category of security issue by ensuring the private pages site lives on its own isolated origin.

Is there a plan to change the behaviour of the forwarding in the future?

Unfortunately, since this depends on the security model of the browser, we cannot change the behavior.There have been a few proposals by browser makers to try and address this situation, but as of today there isn’t a standardized way for browsers to isolate user sessions in a browser based on the path.

I see. Thanks for the explanation :slight_smile: