pavon

This is a good opportunity to inform folks about the Public Suffix List[1]. In short, there is no algorithmic way to know how far up a subdomain is controlled by a single entity. For example ".org", ".co.uk", and ".cloudfront.com" are all public suffixes where subdomains under them are controlled by different entities. Mozilla created[2] the public suffix list to document these regions of control. If you write any software that gives subdomains the same privilege as the base domain, you should (at a minimum) check this list and verify that the subdomain is not known to be controlled by a different party. If you share a domain across multiple entities, you should add your domain to the public suffix list. I don't know if bitwarden uses PSL or not.

I learned about this from gorhill who is very diligent about appling this in uMatrix, etc[3].

[1]https://publicsuffix.org/

[2]https://wiki.mozilla.org/Public_Suffix_List

[3]https://github.com/gorhill/uMatrix/issues/264

tialaramex
Ryan Sleevi suggests (perhaps that's putting it too mildly) that further reliance on the PSL is a bad idea:

https://github.com/sleevi/psl-problems and https://news.ycombinator.com/item?id=24441942

His recommendation is to as much as possible use the Same Origin Policy or if you must, a slightly weakened variant like ignoring port numbers.

I suspect I'll make another comment elsewhere in this discussion that says more about the problems with that.