New GitHub Pages domain: github.io
Beginning today, all GitHub Pages sites are moving to a new, dedicated domain: github.io. This is a security measure aimed at removing potential vectors for cross domain attacks targeting the…
Beginning today, all GitHub Pages sites are moving to a new, dedicated
domain: github.io. This is a security measure aimed at removing potential
vectors for cross domain attacks targeting the main github.com session as well
as vectors for phishing attacks relying on the presence of the “github.com”
domain to build a false sense of trust in malicious websites.
If you’ve configured a custom domain for your Pages site (“yoursite.com”
instead of “yoursite.github.com”) then you are not affected by this change
and may stop reading now.
If your Pages site was previously served from a username.github.com domain,
all traffic will be redirected to the new username.github.io location
indefinitely, so you won’t have to change any links. For example, newmerator.github.com now redirects to newmerator.github.io.
From this point on, any website hosted under the github.com domain may be
assumed to be an official GitHub product or service.
Please contact support if you experience any issues due to these changes.
We’ve taken measures to prevent any serious breakage but this is a major change
and could have unexpected consequences. Do not hesitate to contact support for assistance.
Technical details
Changes to Pages sites and custom domains:
- All User, Organization, and Project Pages not configured with a custom
domain are now hosted on github.io instead of github.com. For
instance, username.github.com is now served canonically from
username.github.io. - An HTTP 301 Moved Permanently redirect has been added for all *.github.com*
sites to their new .github.io** locations. - Pages sites configured with a custom domain are not affected.
- The Pages IP address has not changed. Existing A records pointing to the
Pages IP are not affected.
Changes to GitHub repositories:
- User Pages repositories may now be named using the new username/username.github.io
convention or the older username/username.github.com convention. - Existing User Pages repositories named like username/username.github.com do not
need to be renamed and will continue to be published indefinitely. - If both a username.github.io and a username.github.com repository exists,
the username.github.io version wins.
Security vulnerability
There are two broad categories of potential security vulnerabilities that led to
this change.
- Session fixation and CSRF vulnerabilities resulting from a browser security issue
sometimes referred to as “Related Domain Cookies”. Because Pages sites
may include custom JavaScript and were hosted on github.com subdomains,
it was possible to write (but not read) github.com domain cookies in
way that could allow an attacker to deny access to github.com and/or fixate
a user’s CSRF token. - Phishing attacks relying on the presence of the “github.com” domain to
create a false sense of trust in malicious websites. For instance, an
attacker could set up a Pages site at “account-security.github.com” and ask
that users input password, billing, or other sensitive information.
We have no evidence of an account being compromised due to either type of
vulnerability and have mitigated all known attack vectors.
Written by
Related posts
The top 10 gifts for the developer in your life
Whether you’re hunting for the perfect gift for your significant other, the colleague you drew in the office gift exchange, or maybe (just maybe) even for yourself, we’ve got you covered with our top 10 gifts that any developer would love.
Congratulations to the winners of the 2024 Gaady Awards
The Gaady Awards are like the Emmy Awards for the field of digital accessibility. And, just like the Emmys, the Gaadys are a reason to celebrate! On November 21, GitHub was honored to roll out the red carpet for the accessibility community at our San Francisco headquarters.
Students: Start building your skills with the GitHub Foundations certification
The GitHub Foundations Certification exam fee is now waived for all students verified through GitHub Education.