Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
Risk of trusting subdomains
Risk of trusting subdomains
Note: This does not apply if you untick Allow requests to the same domain in Preferences > Manage policies > Default Policy
- Subdomains are generally assumed to be owned by the same organization as the main domain. (eg.
images.example.comis assumed to belong to the same organization aswww.example.com). The general risk is that it is possible for a site to direct traffic for a subdomain of theirs to a different company's IP address. This situation appears to be fairly uncommon at the current time, but is a real threat to privacy and is currently in use on various popular sites. The owner ofexample.comcould pointcdn.example.comto a content distribution network used onexample.com, but that is actually owned by an other company (content delivery netowrks, analytics and tracking services...), or to direct traffic forads.example.comto an other company that serves ads. - If you host
personal.example.comon your local network, an attacker who controlsanother.example.comwill be able to bypass RequestPolicy's default deny policy forpersonal.example.com, as it does not apply to requests to the same domain. - An attacker that tricks you into visiting
www.evilsite.comcould point his subdomainattack.evilsite.comto the IP address ofyour-bank.com, thus the requests to the bank site will be allowed. However, your browser will not send cookies saved foryour-bank.comto the attacker, as they do not have the same domain name. This makes the attack less useful in most situations.