Isolate online play entries with subdomains

Question

Isolate online play entries with subdomains

Closed this issue 4 years ago · 2 comments

The comp allows for arbitrary Javascript code to be uploaded and run from the main comp domain. This is a substantial security risk. The play online pages should be put on a separate subdomain, and ideally isolated from each other on different subdomains.

Answer 1 · 2020-07-22T15:56:11.000Z

This is a very good point - you're not the first to call this out, and as such I'm more wont to give it some attention.

Answer 2 · 2020-07-23T00:21:34.000Z

Let's aim to get this solved by October 1.

The first thing to investigate is whether having lots of subdomains, e.g. [game-id].play.ifcomp.org, would work with Lets Encrypt.