Back to GitHub.com GitHub Support Contact GitHub

New GitHub Pages domain: github.io

Beginning today, all GitHub Pages sites are moving to a new, dedicated domain: github.io. This is a security measure aimed at removing potential vectors for cross domain attacks targeting the main github.com session as well as vectors for phishing attacks relying on the presence of the “github.com” domain to build a false sense of trust in malicious websites.

If you’ve configured a custom domain for your Pages site (“yoursite.com” instead of “yoursite.github.com”) then you are not affected by this change and may stop reading now.

If your Pages site was previously served from a username.github.com domain, all traffic will be redirected to the new username.github.io location indefinitely, so you won’t have to change any links. For example, newmerator.github.com now redirects to newmerator.github.io.

From this point on, any website hosted under the github.com domain may be assumed to be an official GitHub product or service.

Please contact support if you experience any issues due to these changes. We’ve taken measures to prevent any serious breakage but this is a major change and could have unexpected consequences. Do not hesitate to contact support for assistance.

Technical details

Changes to Pages sites and custom domains:

  • All User, Organization, and Project Pages not configured with a custom domain are now hosted on github.io instead of github.com. For instance, username.github.com is now served canonically from username.github.io.
  • An HTTP 301 Moved Permanently redirect has been added for all .github.com** sites to their new **.github.io locations.
  • Pages sites configured with a custom domain are not affected.
  • The Pages IP address has not changed. Existing A records pointing to the Pages IP are not affected.

Changes to GitHub repositories:

  • User Pages repositories may now be named using the new username/username.github.io convention or the older username/username.github.com convention.
  • Existing User Pages repositories named like username/username.github.com do not need to be renamed and will continue to be published indefinitely.
  • If both a username.github.io and a username.github.com repository exists, the username.github.io version wins.

Security vulnerability

There are two broad categories of potential security vulnerabilities that led to this change.

  1. Session fixation and CSRF vulnerabilities resulting from a browser security issue sometimes referred to as “Related Domain Cookies”. Because Pages sites may include custom JavaScript and were hosted on github.com subdomains, it was possible to write (but not read) github.com domain cookies in way that could allow an attacker to deny access to github.com and/or fixate a user’s CSRF token.
  2. Phishing attacks relying on the presence of the “github.com” domain to create a false sense of trust in malicious websites. For instance, an attacker could set up a Pages site at “account-security.github.com” and ask that users input password, billing, or other sensitive information.

We have no evidence of an account being compromised due to either type of vulnerability and have mitigated all known attack vectors.

Have feedback on this post? Let @github know on Twitter.
Need help or found a bug? Contact us.

Subscribe

Discover new ways to build better

Try Marketplace apps free for 14 days

Learn more