←back to thread

Google flags Immich sites as dangerous

(immich.app)
1005 points janpio | 2 comments | 22 Oct 25 20:53 UTC | HN request time: 0s | source
Show context
arccy ◴[22 Oct 25 23:30 UTC] No.45676475[source]
If you're going to host user content on subdomains, then you should probably have your site on the Public Suffix List https://publicsuffix.org/list/ . That should eventually make its way into various services so they know that a tainted subdomain doesn't taint the entire site....
replies(16): >>45676781 #>>45676818 #>>45677023 #>>45677080 #>>45677130 #>>45677226 #>>45677274 #>>45677297 #>>45677341 #>>45677379 #>>45677725 #>>45677758 #>>45678975 #>>45679154 #>>45679258 #>>45679802 #
0xbadcafebee ◴[23 Oct 25 02:02 UTC] No.45677379[source]

  In the past, browsers used an algorithm which only denied setting wide-ranging cookies for top-level domains with no dots (e.g. com or org). However, this did not work for top-level domains where only third-level registrations are allowed (e.g. co.uk). In these cases, websites could set a cookie for .co.uk which would be passed onto every website registered under co.uk.

  Since there was and remains no algorithmic method of finding the highest level at which a domain may be registered for a particular top-level domain (the policies differ with each registry), the only method is to create a list. This is the aim of the Public Suffix List.
  
  (https://publicsuffix.org/learn/)
So, once they realized web browsers are all inherently flawed, their solution was to maintain a static list of websites.

God I hate the web. The engineering equivalent of a car made of duct tape.

replies(10): >>45677442 #>>45678161 #>>45678382 #>>45678520 #>>45678922 #>>45679006 #>>45679642 #>>45680322 #>>45680711 #>>45680859 #
lukan ◴[23 Oct 25 02:16 UTC] No.45677442[source]
"The engineering equivalent of a car made of duct tape"

Kind of. But do you have a better proposition?

replies(2): >>45677503 #>>45678251 #
1. jadengeller ◴[23 Oct 25 04:49 UTC] No.45678251[source]
I'd probably say we ought to use DNS.
replies(1): >>45678843 #
2. asplake ◴[23 Oct 25 06:35 UTC] No.45678843[source]
And while we’re at it, 1) mark domains as https-only, and 2) when root domains map to a subdomain (eg www).