Our site is getting dinged pretty hard on “cookieless” domains. For example:
Home page is www.domain.com
We use the following CDN domains:
js.domain.com (javascripts)
css.domain.com (css)
graphics.domain.com (images, media, graphics, etc)
images.domain.com (static images associated with our customers)
video.domain.com (video files served up for our pages)
All of the CDN domains are Akamai, with a dedicated server in our data center for origin, except for the images and video domains, which have Akamai NetStorage as origin.
We set a cookie on domain.com (not www.domain.com), so obviously all of our CDN domains are “cookied”. We have to set this cookie domain-wide, since we have multiple hostnames under domain.com (such as ww1.domain.com, ww2.domain.com) which are used for our A/B testing, etc, etc.
We are looking to move to a “cookieless” domain for the stuff that doesn’t require a cookie. Obviously we can get quick wins by setting up css.domaincdn.com, graphics.domaincdn.com, etc.
The one I am concerned about is the js.domaincdn.com - will we run into any XSS issues? Or will this only occur if the javascripts require access to the domain.com cookies?