Revisions from technical writing team

Revised the sentences to improve flow, and adhere more closely to GitLab tone and style.

Revisions from technical writing team
Revised the sentences to improve flow, and adhere more closely to GitLab tone and style.
0a687851 · Dominic Couture · Amy Qualls (slowly returning after surgery) · 4df29625 · 0a687851
Commit 0a687851 authored Sep 22, 2020 by Dominic Couture Committed by Amy Qualls (slowly returning after surgery) Sep 22, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 0 deletions

doc/user/project/pages/index.md doc/user/project/pages/index.md +21 -0

No files found.
--- a/doc/user/project/pages/index.md
+++ b/doc/user/project/pages/index.md
@@ -124,3 +124,24 @@ If you are running a self-managed instance of GitLab (GitLab Community Edition a
 [follow the administration steps](../../../administration/pages/index.md) to configure Pages.

 <i class="fa fa-youtube-play youtube" aria-hidden="true"></i> Watch a [video tutorial](https://www.youtube.com/watch?v=dD8c7WNcc6s) about how to get started with GitLab Pages administration.
+
+## Security for GitLab Pages
+
+If your username is `foo`, your GitLab Pages website is located at `foo.gitlab.io`.
+GitLab allows usernames to contain a `.`, so a user named `bar.foo` could create
+a GitLab Pages website `bar.foo.gitlab.io` that effectively is a subdomain of your
+`foo.gitlab.io` website. Be careful if you use JavaScript to set cookies for your website.
+The safe way to manually set cookies with JavaScript is to not specify the `domain` at all:
+
+```javascript
+// Safe: This cookie is only visible to foo.gitlab.io
+document.cookie = "key=value";
+
+// Unsafe: This cookie is visible to foo.gitlab.io and its subdomains,
+// regardless of the presence of the leading dot.
+document.cookie = "key=value;domain=.foo.gitlab.io";
+document.cookie = "key=value;domain=foo.gitlab.io";
+```
+
+This issue doesn't affect users with a custom domain, or users who don't set any
+cookies manually with JavaScript.