Cookie domain security

Recently, I started diving into cookies, but as far as the domain property concerned I don’t experience it as too be that straightforward. I’ve read this article:

It points out the recommendation to keep your cookies safe by hosting your websites with a www-prefix, so instead of, as in the latter case, IE explorer (or any browser?) will also send the cookies to any (perhaps malicious) subdomain of But don’t you own all the subdomains of a given domain you bought? Why can somebody else own a subdomain under your parent domain in the first place? Aren’t you then just setting a cookie for a subdomain someone else owns? That doesn’t make sense, does it?

So it is recommended to avoid having untrusted domains under your domain. She also says this is why GitHub pages is hosted under, not, for example. I don’t understand why .io would be more secure than .com?

I’ve learnt that you can always set a cookie for a less specific domain, e.g. can set a cookie for but not the other way around. What is the ideology behind this from a security perspective? Is this not just dangerous behavior, because a sub domain (which apparently may be owned by someone else?) then can set cookies for all other sub domains of and the parent domain itself. So a user from gets granted also access to

When you set a domain value of, the cookie will be sent to all sub-domains. Does this have anything to do with having the feature of a shared authentication/authorization mechanism that applies to all applications hosted under several subdomains (e.g. and but related to the parent domain/app?

Maybe I’m on the wrong track, but I don’t quite understand the WHY behind the specifications.

Thanks in advance,