Note: This does not apply if you untick
Allow requests to the same domain in
Preferences > Manage policies > Default Policy
images.example.comis assumed to belong to the same organization as
www.example.com). The general risk is that it is possible for a site to direct traffic for a subdomain of theirs to a different company's IP address. This situation appears to be fairly uncommon at the current time, but is a real threat to privacy and is currently in use on various popular sites. The owner of
cdn.example.comto a content distribution network used on
example.com, but that is actually owned by an other company (content delivery netowrks, analytics and tracking services...), or to direct traffic for
ads.example.comto an other company that serves ads.
personal.example.comon your local network, an attacker who controls
another.example.comwill be able to bypass RequestPolicy's default deny policy for
personal.example.com, as it does not apply to requests to the same domain.
www.evilsite.comcould point his subdomain
attack.evilsite.comto the IP address of
your-bank.com, thus the requests to the bank site will be allowed. However, your browser will not send cookies saved for
your-bank.comto the attacker, as they do not have the same domain name. This makes the attack less useful in most situations.