All the more reason to run less-trusted consumer generated content on a separate domain:
Amazon CloudFront (already on the Public Suffix List): https://d18rrft186j3x1.cloudfront.net/bomb_.html
Google Cloud Storage: http://fofofoofooo.commondatastorage.googleapis.com/bomb2.ht...
GitHub user content: http://wrr.github.io/cookie-bomb/bomb.html
Dropbox user content: https://dl.dropboxusercontent.com/u/63170109/bomb.html
Google Drive hosted static pages: https://googledrive.com/host/0B3BESKL7AtJvZDBhSnA1UnpOVW8/
Tumblr: http://krol-okrucyusz.tumblr.com/