Hacker News new | past | comments | ask | show | jobs | submit login

This isn't entirely without precedent. Firefox does something similar by greying out the `www` in the UI, Chrome just decided to take things a step further by hiding it entirely.



Huge difference IMO. I'd explain your example as firefox highlighting the domain part of the URI.


Firefox's behaviour is that is makes everything except the eTLD+1 grey, because that's what's normally useful for evaluating authenticity. There's no distinction made between `www` and any other subdomain.


These are all in the same origin so they can read cookies and manipulate pages.


Subdomains are in different origins; cookies have their own weird notion of security.


This is not true unless the cookie is specifically marked to be domain-wide.

There was a time when IE misbehaved. Not sure if this fixed in Edge: https://www.mxsasha.eu/blog/2014/03/04/definitive-guide-to-c...


> There was a time when IE misbehaved. Not sure if this fixed in Edge: https://www.mxsasha.eu/blog/2014/03/04/definitive-guide-to-c....

Pretty sure that was fixed in Edge and IE (as a security issue).


While that certainly may be the case, it's been shown time and time again how many users (and even sys admins!) are bad at installing patches.


FF greys out all the subdomains, not just www. Good for anti-phishing, I guess.


FF grays out everything that's not the domain name, not just `www` and more importantly, not because it's `www`.


> Firefox does something similar by greying out

So, not similar at all?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: