Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to exclude subdomains #8301

Open
1 task done
Rabadash8820 opened this issue Dec 3, 2024 · 2 comments
Open
1 task done

Add ability to exclude subdomains #8301

Rabadash8820 opened this issue Dec 3, 2024 · 2 comments
Labels
enhancement Issue/PR contains enhancements to the overall code of the site. feature Feature request

Comments

@Rabadash8820
Copy link
Contributor

Information about the feature to be added:

There may already be a way to do what I'm trying to do, I just couldn't figure it out from the CONTRIBUTING docs. My use case is for Student Loan servicers. It looks like all servicers are now required to host their sites on subdomains of studentaid.gov, e.g. <nelnet.studentaid.gov> and <aidvantage.studentaid.gov>. The Federal Student Aid website hosted at <studentaid.gov> does support 2FA, but not all of these servicer-specific subdomains do. Thus, password managers like 1Password will recommend setting up 2FA on these sites, but it's impossible to actually do so (Nelnet and Aidvantage are both examples of this). It would be great if there was a way to exclude the nelnet and aidvantage subdomains (and any others) from the studentaid.gov.json file.

Following the discussion on #3835:

... I have seen no implementation of a service (like Browser-plugins and 1Password), that really care for anything else than the main-domain and tld part of the URL itself to guess whether 2FA is available or not.

1Password does allow specifying different "autofill behaviors" though, including "Only fill on this exact domain". So one could have separate Login items for studentaid.gov and every relevant *.studentaid.gov, each with that behavior set. Ideally, the root domain item would suggest enabling 2FA, while the subdomain items would not. Presumably, other password managers could work similarly.

... site ranking doesn't care for subdomains and only meters the main domain, so it would be next to impossible to figure out the overall ranking of that subdomain

In the specific case of student loan servicers, I think you could treat their sites' rankings as equivalent to studentaid.gov. Idk if you'd want to use the root domain ranking for all sites though...
@Rabadash8820 Rabadash8820 added the enhancement Issue/PR contains enhancements to the overall code of the site. label Dec 3, 2024
@hkamran80
Copy link
Member

hkamran80 commented Dec 3, 2024
edited
Loading

It looks like all servicers are now required to host their sites on subdomains of studentaid.gov, e.g. <nelnet.studentaid.gov> and <aidvantage.studentaid.gov>.

If you're interested in why and when that started, it began in March and was announced earlier this year. There is also a help center article on it.

The Federal Student Aid website hosted at <studentaid.gov> does support 2FA, but not all of these servicer-specific subdomains do.

You could create a no-MFA entry for nelnet.studentaid.gov and the other federal loan servicers. I would assume that password managers would prefer the more exact match. If you do, I recommend submitting it as one PR.

Do you happen to know if they all loan servicers share credentials? I would imagine no, but it is possible. They all share the same routes and login/signup pages, albeit with different styles.

It would be great if there was a way to exclude the nelnet and aidvantage subdomains (and any others) from the studentaid.gov.json file.

This is definitely something we can look into. Off the top of my head, it would likely be similar to the regions array where excluded regions are prefixed with a -. For example:

{
  "Federal Student Aid": {
     "domain": "studentaid.gov",
     "additional-domains": [
       "-nelnet.studentaid.gov",
       "-aidvantage.studentaid.gov",
     ]
  }
}

It would be up to password managers to support this though.

... site ranking doesn't care for subdomains and only meters the main domain, so it would be next to impossible to figure out the overall ranking of that subdomain

In the specific case of student loan servicers, I think you could treat their sites' rankings as equivalent to studentaid.gov. Idk if you'd want to use the root domain ranking for all sites though...

We currently use the root domain ranking because Similarweb does not usually rank subdomains. See #8186 for more detail.

@hkamran80 hkamran80 added the feature Feature request label Dec 3, 2024
@Rabadash8820 Rabadash8820 mentioned this issue Dec 6, 2024
Merged
@Rabadash8820
Copy link
Contributor Author

You could create a no-MFA entry for nelnet.studentaid.gov and the other federal loan servicers.

Done for Nelnet and Aidvantage in #8312 👍

Do you happen to know if they all loan servicers share credentials?

Doesn't look like it. Nelnet and Aidvantage do not share creds with each other at least (nor with the federal studentaid.gov site).

This is definitely something we can look into

Assuming the above PR works the way we think it will, then I guess my use case is already solved. I leave it up to you maintainers decide if "excluded domains" are worth implementing. 🤷‍♂️ (If not then feel free to close this Issue)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Issue/PR contains enhancements to the overall code of the site. feature Feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Rabadash8820 @hkamran80