Do recognize BANK.IN and other Indian zones as TLD

ShailendraMSM · September 30, 2025, 7:07am

The Reserve Bank Of India (Equivalent to the Fed in the US) has implemented new URLs for all bank websites in India.

All banks are now migrated to a .bank.in domain.

So for example BankOfIndia.com now becomes BankOfIndia.bank.in

Bitwarden doesn’t recognize bank.in as a top level domain yet.

So I cant create custom domain rules in my Bitwarden account. Why? Because bitwarden thinks bankofindia.bank.in is a subdomain and Bitwarden only allows base domains in its Domain rules.

This is a huge problem. Lots of Indian customers have multiple bank accounts and hence multiple logins saved which need to be updated.

This issue is not just limited to newly introduced bank.in TLD. I face issues with other indian TLDs as well. I doubt Bitwarden recognizes that .in registry has following 45 TLDs now.

Legacy TLD
.in
.co.in
.com.in
.firm.in
.net.in
.org.in
.gen.in
.ind.in

Restricted TLD
.ernet.in 
.ac.in 
.edu.in 
.res.in 
.gov.in 
.mil.in
.bank.in

New TLD
.5g.in
.6g.in
.ai.in
.am.in
.bihar.in
.biz.in
.business.in
.ca.in
.cn.in
.com.in
.coop.in
.cs.in
.delhi.in
.dr.in
.er.in
.gujarat.in
.info.in
.int.in
.internet.in
.io.in
.me.in
.pg.in
.post.in
.pro.in
.travel.in
.tv.in
.uk.in
.up.in
.us.in

Regards

Neuron5569 · September 30, 2025, 7:56am

Hello and welcome to the forum!

Bitwarden does recognize “bank.in” as the top domain; the unusual “problem” is that all the banks will now be using subdomains of this top domain, which breaks the assumptions of setting “Base domain” as the default URL matching.

Without another feature request, you can:

For each of the affected banks, fix the URLs to the proper login page URLs (as subdomains of the top domain “bank.in”) and
For each URL, also change the URL matching rule (using the settings icon on the right of the field) to “Match detection: Host.” or
Change your Settings > Autofill > Default URL match detection to “Host.” Unfortunately, some of the other entries may no longer match, which you will have to fix one by one. On the other hand, you can view this as an exercise to “harden” your Bitwarden configuration to reduce the possible attack surface based on subdomain URLs.

I tried this with bankofindia.bank.in and indianbank.bank.in; with the “Host” URL matching, each entry matches separately.

P.S.: I edited your post so the non-TLD parts are outside the “code” formatting to allow the lines to be wrapped properly.

ShailendraMSM · September 30, 2025, 8:51am

Recognizing it as a base domain and recognizing it as a Top level Domain are different things.
Currently in custom domain rules (in my bitwarden account),

I can set as a valid rule :
XYZ. com, XYZ.co.in

but I cant set:
XYZ. com, XYZ.bank.in

even though .co.in and .bank.in are both same kind of entities.I hope this clears things up. If Bitwarden regonizes it as a proper TLD, it will let me and other users create custom domain rules to solve the issue for all logins in a particular website. I manage bank accounts for all family and a few businesses.

Neuron5569 · September 30, 2025, 9:07am

Understood, domain rules as in https://vault.bitwarden.com/#/settings/domain-rules.

I’ll wait for someone else to suggest how we can “properly” ask Bitwarden to implement recognition of those TLDs. It does seem like a “bug”, though.

ShailendraMSM · September 30, 2025, 9:37am

Definately not a bug, but a feature request. New TLDs pop up every year, but this one is particularly troublesome because Govt has forced all banks to change their domain all at once.

And these are banks we are talking about. The best way not to be phished is to look for exisiting available login for that domain. That is now broken.

grb · September 30, 2025, 2:48pm

I agree that this should be a feature request, although it could be argued that it should be reported as a Github Issue, as well (since from a user’s perspective, they would just experience that URI matching and Domain Rules no longer work as expected, without necessarily understanding the reason).

Neuron5569 · September 30, 2025, 10:06pm

Hot issues on github also seem to be addressed more quickly than a “hot” feature request. I personally would try the bug track first. The fastest track may be an outside code contributor fixing the issue.

ShailendraMSM · October 7, 2025, 2:13am

I tried on github, not a developer. My thread was automatically closed.

Can anyone help me raise this issue in the correct way.

Neuron5569 · October 7, 2025, 3:13am

Yeah, don’t file it as a contribution proposal; try submitting it as a bug report, i.e., TLDs not behaving as TLDs (with the details you have mentioned). This won’t guarantee that the submission won’t be closed, but since bugs may be fixed in days, weeks, or months, it might be better than a feature request, which could take months or years. grb already mentioned this link above:

Oh yeah, you should also include steps that make this “bug” consistently “reproducible,” which should be easy in this case, perhaps by using the non-equivalent treatment in the domain rules page above.

grb · October 7, 2025, 3:38am

Your thread was closed because you posted at https://github.com/orgs/bitwarden/discussions, not at https://github.com/bitwarden/clients/issues.

Neuron5569 · October 15, 2025, 11:28am

@ShailendraMSM,

If the following bug isn’t yours, you may want to add all the domains you mentioned to the bug report to see if the issue will get noticed:

github.com/bitwarden/clients

Autofill Suggestions Overlap for .bank.in Domains (Security Concern)

opened 10:35AM - 15 Oct 25 UTC

CaptainTrex

bug browser

### Steps To Reproduce 1. Save login credentials for two different banks that u…se `.bank.in` domains, for example: * **YES Bank:** `https://yesonline.yes.bank.in` * **SBI Bank:** `https://www.onlinesbi.sbi.bank.in` 2. Visit either of the above bank login pages. 3. Click on the Bitwarden icon or open the autofill popup. 4. Observe the autofill suggestions. ### Expected Result Bitwarden should treat `yes.bank.in` and `sbi.bank.in` as **completely separate domains**. Only the credentials for the current site (e.g., `yesonline.yes.bank.in`) should appear in autofill suggestions. ### Actual Result Bitwarden shows autofill suggestions for **multiple unrelated banks** that share the `.bank.in` suffix. For example, on `yesonline.yes.bank.in`, Bitwarden also suggests credentials saved for `sbi.bank.in`, and vice versa. ### Screenshots or Videos _No response_ ### Additional Context I’ve recently noticed a potential issue with Bitwarden’s domain matching behavior when handling newer .bank gTLDs and domains that include .bank.in. Many banks in India have started adopting .bank domains for security and compliance reasons. For example: YES Bank: https://yesonline.yes.bank.in SBI Bank: https://www.onlinesbi.sbi.bank.in However, Bitwarden’s autofill system appears to treat .bank.in as a common suffix, causing cross-suggestions between unrelated banking domains. Issue When visiting yesonline.yes.bank.in, Bitwarden also suggests credentials saved for sbi.bank.in and vice versa. This can be misleading and potentially dangerous, especially for users managing multiple banking credentials. Example: On yesonline.yes.bank.in → Bitwarden suggests both YES Bank and SBI credentials. On onlinesbi.sbi.bank.in → Bitwarden suggests both SBI and YES Bank credentials. This behavior occurs even though these are clearly separate financial institutions. ### Operating System Linux, Windows ### Operating System Version windows 11, Fedora 142 ### Web Browser Firefox ### Browser Version 143.0.4 (64-bit) ### Environment Versions Version: 2025.9.0 SDK: 'main (ab3c7db)' Server version: 2025.10.0 ### Issue Tracking Info - [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.