It's a bit surprising they did that, to be honest. I work at a similarly-sized, HN-popular tech company and our security team is very strict about less-trusted (third party!!) code running on another domain, or a subdomain at the very least, with strict CSP and similar.

But in the age of AI, it seems like chasing the popular thing takes precedence to good practices.

Thanks for this comment tick_tock :)

After reading this, I did some research and learned a lot. I never really considered that, by including many things under the same domain, that you're increasing your blast radius w.r.t security vulernabilites. Thanks for that

This is what it really comes down to. Browsers are built around origins as the major security boundary. When you use a separate origin, safety comes for free.

And you open another can of worms which is phishing. If you run your marketing campaigns from yourcompany-deals-2025.com don't be surprised when people click yourcompany-login.com links

I'm not sure I understand.

edit: That is, your phishing approach would work regardless, in my opinion. If your main site is `mycompany.com` then don't be surprised to see phishers sending `my-company.com` etc.

Also, you can host our content on a separate domain while still having users visit the same domain.

Trust doesn’t though - discord.com/docs looks legit, as does docs.discord.com - discord-docs.com immediately sets off red flags

Is there no way to tell the browser “hey this URL is using the same domain but please isolate it from the rest”?

You can use a sandboxed iframe without an origin.

You can still have discord.com/docs with content hosted on discord-docs.com

But then you have to be able to trust that the other domain is actually operated by Discord and isn't some social engineering front.