Egor Homakov's write up of the session fixation and CSRF vulnerabilities that this addresses:<p><a href="http://homakov.blogspot.com/2013/03/hacking-github-with-webkit.html" rel="nofollow">http://homakov.blogspot.com/2013/03/hacking-github-with-webk...</a>
Poor form not crediting Homakov, GitHub. Credit means a lot to security researchers (that is all a lot of us are working for).<p>If you aren't even giving simple credit, you are asking to be compromised the next time an issue is found. GitHub is large enough and prominent enough where it should have an entire bounty program, let alone giving a blogger a link.
Not sure yet how I feel about the .io bandwagon that seems to be going around; I think I mainly don't like taking a TLD that is specifically designated for a country and attempting to attach a different meaning to it. I just don't know if my pedantry is justified... Yes, I know it's been happening forever, but that doesn't make it right.<p>I do like the delineation between official Github content and user-content, but there definitely other ways to go about the problem without buying into the latest TLD fad.
This is certainly good news for HN, more than a few times I have been misled into thinking a pages.github.com submission was an official github announcement.
When I go to <a href="http://pages.github.com/" rel="nofollow">http://pages.github.com/</a>, I see absolutely no way to <i>make</i> a Github Page. How do you set one up?<p>EDIT: I know I could probably find the info in an FAQ, if I needed to. My point is that the images on that page seem to show a nice wysiwyg online editor for creating and publishing pages. I'm looking for a big call to action button that takes me <i>there</i>, similar to how easy it is to publish to <a href="https://gist.github.com/" rel="nofollow">https://gist.github.com/</a>.
Great all around, I hate all the links that show up here as from github.com when they're actually from username.github.com, or even gist.github.com. Though I guess this doesn't say anything about gists, maybe they should move those to their own domain too. Although I really think HN should show the first level subdomain of a domain if one exists.
It's a real pain that "project pages", i.e. serving the gh-pages branch from username.github.com/project aren't being redirected, for example: <a href="http://nightworld.github.com/odlnorth" rel="nofollow">http://nightworld.github.com/odlnorth</a> just 404's<p>Is this an oversight or am I missing something?
Security vulnerability 3: Websites could sniff passwords of users with password-saving browser extensions. If the extension autofills the username and password (and some do out of the box), then a bit of javascript on a GitHub Pages site could have stolen those users' Github passwords.<p>Excellent move on GitHub's part here.
"If your Pages site was previously served from a username.github.com domain, all traffic will be redirected to the new username.github.io location indefinitely"<p>i.e., Phishers, no need to change your email templates!
"As a general rule, it's not possible to securely allow arbitrary user-provided content on a subdomain."<p>This rule is also good to keep in mind when choosing a domain for non-production environments!
I think .io is a much better choice than .co, because .co is easily confused with .com. .io is so completely different that it is less easily confused with .com.<p>Note that overstock totally rebranded their domain to o.co and found that a very large percentage of visitors were typing in o.com instead of o.co and they were losing a very significant amount of traffic.
The docs for user pages appear to have been auto-rewritten to name the repository with a .io suffix, but the cited URL doesn't seem to work.<p>See <a href="https://help.github.com/articles/user-organization-and-project-pages" rel="nofollow">https://help.github.com/articles/user-organization-and-proje...</a> , click the defunkt demo link.
I like saas companies so much more than traditional ones largely because they offer support effectively.
Test case: Try to find the number to call to replace your bluetooth headset.