scriptsafe icon indicating copy to clipboard operation
scriptsafe copied to clipboard
verified publisher icon andryou

Wildcarding the subdomain of subdomain (causes problem for sites like Netflix)

Open Elliander opened this issue 8 years ago • 1 comments

When I watch Netflix scriptsafe tends to cause playback problems because of the way they have their subdomains setup. I keep marking to allow everything, and then there more with the next video. I already have dozens filling up the allow list and it's getting excessive.

To be specific, I have the following white listed: netflix.com **.netflix.com (the wildcard indicates that all subdomains are allowed) oca.nflxvideo.net

Which resulted in these being blacklisted still: ipv4-c139-ord001-ix.1.oca.nflxvideo.net (1) ipv6-c003-ord002-dev-ix.1.oca.nflxvideo.net (5) ipv6-c051-msp001-ix.1.oca.nflxvideo.net (1)

so then I added this: **.nflxvideo.net

But then this is the latest thing to be blocked: aatcpssnx3zmrmt6ovwldtthhgft75tnwgaa44vo.r.nflxso.net

Because the wildcard doesn't extend to the subdomains of subdomains, and unfortunately I cannot further refine it with:

**.r.nflxso.net

(that wouldn't be ideal anyway, when I want all of the subdomains of subdomains whitelisted)

which means there is no way for me to fully whitelist netflix videos. If I could whitelist all domains, subdomains, etc of these two domains it would be far easier. The only real workaround I have is to "allow all blocked for session" but the session expires before I finish so it's a frequent annoyance. However, I don't want to totally disable scriptsafe just to watch videos online.

As a side note: I even had trouble commenting because allowing github wasn't enough to allow everything github uses to comment.

Of course, I understand that allowing this is potentially dangerous - it would be too easy for a subdomain to be targeted for malicious purpose - but that's still better than breaking site functionality ina manner that otherwise requires fully disabling scriptsafe.

Maybe it could be that for every asterisk added in front of a domain another subdomain layer is whitelisted? For example,

**.nflxvideo.net

Would whitelist

oca.nflxvideo.net but not 1.oca.nflxvideo.net

while

***.nflxvideo.net

would whitelist oca.nflxvideo.net and 1.oca.nflxvideo.net

and so on as necessary.

Elliander avatar Nov 01 '17 20:11 Elliander

Bumping this issue as it interferes with a lot of the stuff google does. Addresses such as 4.client-channel.google.com aren't able to be whitelisted as it stands.

pjthomas404 avatar May 17 '19 16:05 pjthomas404