I think the public suffix list only works exactly one level down (otherwise you wouldn't be able to share cookies with sub-levels that _should_ be able to share cookies).

Thus, with `github.io' on the list, everything on `*.github.io' can't share with each other, but everything on `*.a.github.io' _can_. The author is sharing between `private-org.github.io' and `private-page.private-org.github.io', which is allowed because `private-org.github.io' (or the more general `*.github.io') isn't on the list.

I think you're missing that github.io is a public suffix but microsoft.github.io or yourcorp.github.io isn't. He finds a publicproj.microsoft.github.io and abuses the fact it shares cookies with privateproj.microsoft.github.io.

I think him mentioning {anything}.github.io not being on the public suffix list is a slightly misunderstanding. While true, it's expected. The same is true for {anything}.com.

I thought it might have been added after the incident, but a `git blame` says otherwise:

    7b7f575f public_suffix_list.dat                  (Simone Carletti                   2013-04-23 11:51:10 +0100 11950) github.io

github.io is on the list. *.github.io is not. They are different. The rule only goes one level down.

The github.io rule means foo.github.io cannot share with bar.github.io.

However foo.private-org.github.io can share with bar.private-org.github.io. The *.github.io rule would prevent that.

Oh yes, that makes sense. Thanks!