This is what it really comes down to. Browsers are built around origins as the major security boundary. When you use a separate origin, safety comes for free.
This is what it really comes down to. Browsers are built around origins as the major security boundary. When you use a separate origin, safety comes for free.
And you open another can of worms which is phishing. If you run your marketing campaigns from yourcompany-deals-2025.com don't be surprised when people click yourcompany-login.com links
I'm not sure I understand.
edit: That is, your phishing approach would work regardless, in my opinion. If your main site is `mycompany.com` then don't be surprised to see phishers sending `my-company.com` etc.
Also, you can host our content on a separate domain while still having users visit the same domain.
Trust doesn’t though - discord.com/docs looks legit, as does docs.discord.com - discord-docs.com immediately sets off red flags
Is there no way to tell the browser “hey this URL is using the same domain but please isolate it from the rest”?
You can still have discord.com/docs with content hosted on discord-docs.com