Wildcarding the subdomain of subdomain (causes problem for sites like Netflix)
When I watch Netflix scriptsafe tends to cause playback problems because of the way they have their subdomains setup. I keep marking to allow everything, and then there more with the next video. I already have dozens filling up the allow list and it's getting excessive.
To be specific, I have the following white listed:
netflix.com
**.netflix.com (the wildcard indicates that all subdomains are allowed)
oca.nflxvideo.net
Which resulted in these being blacklisted still:
ipv4-c139-ord001-ix.1.oca.nflxvideo.net (1)
ipv6-c003-ord002-dev-ix.1.oca.nflxvideo.net (5)
ipv6-c051-msp001-ix.1.oca.nflxvideo.net (1)
so then I added this:
**.nflxvideo.net
But then this is the latest thing to be blocked:
aatcpssnx3zmrmt6ovwldtthhgft75tnwgaa44vo.r.nflxso.net
Because the wildcard doesn't extend to the subdomains of subdomains, and unfortunately I cannot further refine it with:
**.r.nflxso.net
(that wouldn't be ideal anyway, when I want all of the subdomains of subdomains whitelisted)
which means there is no way for me to fully whitelist netflix videos. If I could whitelist all domains, subdomains, etc of these two domains it would be far easier. The only real workaround I have is to "allow all blocked for session" but the session expires before I finish so it's a frequent annoyance. However, I don't want to totally disable scriptsafe just to watch videos online.
As a side note: I even had trouble commenting because allowing github wasn't enough to allow everything github uses to comment.
Of course, I understand that allowing this is potentially dangerous - it would be too easy for a subdomain to be targeted for malicious purpose - but that's still better than breaking site functionality ina manner that otherwise requires fully disabling scriptsafe.
Maybe it could be that for every asterisk added in front of a domain another subdomain layer is whitelisted? For example,
**.nflxvideo.net
Would whitelist
oca.nflxvideo.net but not 1.oca.nflxvideo.net
while
***.nflxvideo.net
would whitelist oca.nflxvideo.net and 1.oca.nflxvideo.net
and so on as necessary.
Bumping this issue as it interferes with a lot of the stuff google does. Addresses such as 4.client-channel.google.com aren't able to be whitelisted as it stands.