Cookie domain security


Recently, I started diving into cookies, but as far as the domain property concerned I don’t experience it as too be that straightforward. I’ve read this article:

http://web.archive.org/web/20200418163316/https://www.mxsasha.eu/blog/2014/03/04/definitive-guide-to-cookie-domains/

It points out the recommendation to keep your cookies safe by hosting your websites with a www-prefix, so www.example.com instead of example.com, as in the latter case, IE explorer (or any browser?) will also send the cookies to any (perhaps malicious) subdomain of example.com. But don’t you own all the subdomains of a given domain you bought? Why can somebody else own a subdomain under your parent domain in the first place? Aren’t you then just setting a cookie for a subdomain someone else owns? That doesn’t make sense, does it?

So it is recommended to avoid having untrusted domains under your domain. She also says this is why GitHub pages is hosted under github.io, not github.com, for example. I don’t understand why .io would be more secure than .com?

I’ve learnt that you can always set a cookie for a less specific domain, e.g. bad.example.com can set a cookie for .example.com but not the other way around. What is the ideology behind this from a security perspective? Is this not just dangerous behavior, because a sub domain (which apparently may be owned by someone else?) then can set cookies for all other sub domains of example.com and the parent domain itself. So a user from malicious.example.com gets granted also access to example.com.

When you set a domain value of .example.com, the cookie will be sent to all sub-domains. Does this have anything to do with having the feature of a shared authentication/authorization mechanism that applies to all applications hosted under several subdomains (e.g. dashboard.example.com and admin.example.com) but related to the parent domain/app?

Maybe I’m on the wrong track, but I don’t quite understand the WHY behind the specifications.

Thanks in advance,

Mike