I love easter eggs in open source code. I was able to easily find this in the code and learned a bit about neocities and geocities URL formats in the process.

I was expecting that neocities sites would have similar URLs to geocities (in the neocities.org/server/user/page format). This is a fun way of learning about stuff.

Unfortunately the way web security works these days, there is no concept of path origin security, so sites in the neocities.org domain would be able to execute XSS attacks and steal session cookies and whatnot. Subdomains (site.neocities.org) are considered a different origin, and that allows us to prevent attacks to the main site. It's not perfect, there have been attack vectors in the past (which have been mitigated by some security features, such as HttpOnly cookies).

Path origin policies are being considered right now. They're currently being referred to as suborigins: https://w3c.github.io/webappsec-suborigins/

What I would really like to see is a CSP option for cookie access control, but unfortunately it appears to have been shelved for the moment: https://www.w3.org/TR/csp-cookies/ https://twitter.com/kyledrake/status/818931856238407680

Why not link to reocities.com instead?