
Update on special-case subdomain elision in Chrome - shabble
https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/5DIxA4yRfD0
======
mbrumlow
> special-case subdomains “www” and “m”

These are not special-case subdomains, they are simply subdomains...

~~~
kixpanganiban
This. The rollback they're doing is something we of Hispanic descent call
consuelo-de-bobo. They're still going to elide www so what's the point?

------
londons_explore
The missing rationale here seems to be:

* The domain part of a URL is a critical security indicator.

* The shorter and simpler this indicator is, the more chance users will understand and trust it.

* Very few users trust www.yahoo.com while not trusting yahoo.com.

* If we assume that users who trust www.domain.com also trust domain.com and vice versa, we can remove the "www." from the UI, creating a shorter, simpler and more understandable security token.

~~~
frumiousirc
> The domain part of a URL is a critical security indicator.

Except when it's not.

[https://www.schrauger.com/the-story-of-how-wosign-gave-me-
an...](https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-
certificate-for-github-com)

[http://freedns.afraid.org/](http://freedns.afraid.org/)

------
parliament32
>There is more community consensus that sites should not allow the “www”
subdomain to be user controlled.

Is there any record of this "consensus"? This shouldn't be happening, period.
There is a difference between example.com and www.example.com: they can serve
different content, and can have different DNS records. There is literally no
sane reason to hide any subdomain, common or not -- it's there for a reason.

Previous discussion:
[https://news.ycombinator.com/item?id=17927972](https://news.ycombinator.com/item?id=17927972)

------
lucideer
> _We do not plan to standardize how browsers should treat these special cases
> in their UI_

This is a statement from the Chrome team; from Google. Since when does Google
unilaterally decide on what it will or will not standardise in other browsers?

Standardisation is a multi-stakeholder collaborative process. This sounds very
much like Google representatives don't view it as such. Given their dominant
market position, that's a worrying sign.

~~~
detaro
It helps to read that sentence in the context of the sentence right before it.

~~~
lucideer
The context doesn't change the meaning. The previous sentence talks about
engaging in a (separate, different) standardisation process with others, and
this sentence then does a jarring context switch by instead talking about a
seemingly unilateral action (albeit thankfully in the negative, so only the
tone is of concern).

~~~
dragonwriter
No, the sentence in question is—and the context you are dismissig makes this
abundantly clear, though it is also the most natural reading of the sentence
in isolation, IMO—using “standardize” to mean “seek to establish as an
industry standard through the process of a standards body.”

(Note that while I think the language is clear, I think this whole approach
from Google is ill-conceived to the point of borderline lunacy; there is no
need for these to be special-case subdomains or for them to be treated
specially by UIs at all.)

------
Boulth
If only HTTP supported SRV records so people could use bare domain
(google.com) in the UI while serving content transparently from other hosts.
Many protocols use that (e.g. XMPP). But no, it seems to be easier to stick to
www CNAME "hack" and fix it by introducing even more hacks like this "www
elision".

------
robbyt
They've added a feature nobody asked for, so there must be another hidden
reason why they've decided to add this. Any ideas? Is this really just a "UX
enhancement", or is there a bigger strategy behind it?

------
jwilk
Context:

[https://news.ycombinator.com/item?id=17927972](https://news.ycombinator.com/item?id=17927972)

------
mmerlin
I don't get it.

Putting style before substance.

To disable the annoying behaviour:

chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains

------
jsjohnst
My money is on Tumblr having been the primary “big site” where this was an
issue.

