←back to thread

Google flags Immich sites as dangerous

(immich.app)
1005 points janpio | 2 comments | 22 Oct 25 20:53 UTC | HN request time: 0.455s | source
Show context
arccy ◴[22 Oct 25 23:30 UTC] No.45676475[source]
If you're going to host user content on subdomains, then you should probably have your site on the Public Suffix List https://publicsuffix.org/list/ . That should eventually make its way into various services so they know that a tainted subdomain doesn't taint the entire site....
replies(16): >>45676781 #>>45676818 #>>45677023 #>>45677080 #>>45677130 #>>45677226 #>>45677274 #>>45677297 #>>45677341 #>>45677379 #>>45677725 #>>45677758 #>>45678975 #>>45679154 #>>45679258 #>>45679802 #
1. fc417fc802 ◴[23 Oct 25 07:40 UTC] No.45679258[source]
How does the PSL make any sense? What stops an attacker from offering free static hosting and then making use of their own service?

I appreciate the issue it tries to solve but it doesn't seem like a sane solution to me.

replies(1): >>45679911 #
2. arccy ◴[23 Oct 25 09:25 UTC] No.45679911[source]
PSL isn't a list of dangerous sites per-se.

Browsers already do various levels of isolation based on domain / subdomains (e.g. cookies). PSL tells them to treat each subdomain as if it were a top level domain because they are operated (leased out to) different individuals / entities. WRT to blocking, it just means that if one subdomain is marked bad, it's less likely to contaminate the rest of the domain since they know it's operated by different people.