Serving “less trusted” content on the same domain


Let’s say we run a web app at "example.org". It uses cookies for user authentication.

Our website also has a blog at "example.org/blog", hosted by a third party. Our load balancer routes all requests to "/blog" (and subpaths) to our blog host’s servers. We don’t distrust them, but we’d prefer if security issues with the blog host can’t affect our primary web app.

Here are the security concerns I’m aware of, along with possible solutions.

  1. The requests to the blog host will contain our user’s cookies.
    • Solution: Have the load balancer strip cookies before forwarding requests to the blog host.
  2. An XSS on the blog allows the attacker to inject JS and read the cookie.
    • Solution: Use "HTTP-only" cookies.
  3. An XSS on the blog allows the attacker to inject JS and make an AJAX request to "example.org" with the user’s cookies. Because of the same origin policy, the browser allows the attacker’s JS to read the response.
    • Solution: Have the load balancer add some Content-Security-Policy to the blog responses? What’s the right policy to set?
    • Solution: Suborigins (link) looks nice, but we can’t depend on browser support yet.

Is there a way do safely host the blog on the same domain?