Excluded Sub Domains

Feature name

  • ability to exclude all sub domains in the Excluded Domains settings

Feature function

  • In Excluded Domains you can currently add a domain but it only excludes an exact match to that domain
  • I use a lot of subdomains and want to be able to easily exclude all of them from the “Do you want to save this password?” prompt
  • Is it possible to add a wildcard (*.example.com or .example.com) so that all sub domains are excluded automatically

I believe that’s exactly how it currently works - extract from the help article:

Domain Exclusion does not register “full” URLs, only the domain component. In the above example, https://github.com/bitwarden/browser would resolve to github.com when saved, meaning that the Browser Extension would explicitly not offer to save credentials for Github.


From my experience it does work this way to remove the https:// and folders, but adding example.com to the exclusion list doesn’t exclude sub-domain.example.com.

1 Like

I have exactly this same request. I want to write e.g. .example.com or *.example.com and have the prompt excluded from a.example.com and b.example.com and so on, even say c.d.example.com.

1 Like

You might be able to do this with the “RegEx” match detection setting. I haven’t tried it, but some RegEx syntaxes have negation/not.

In practice, when I want a subdomain excluded, I instead just list all the subdomains that I want included (and select the “Host” match detection setting).

+1 to this feature, it doesn’t seem actually possible (I’m using the FF plugin)

@B0UNC3R where is that regex setting? I can’t find it … trying with a regex in excluded domains doesn’t work (e.g. /.*example.com/ => says it’s not a valid domain).

Note, listing exhaustively all full domains cannot work for me because I have some generated parts within.

OK I believe the regex matching setting is used only during the credentials lookup, but it doesn’t impact while looking for excluded domains.
So, still +1 for the feature request


FYI Subdomains exclusion by jotak · Pull Request #2289 · bitwarden/browser · GitHub


Thanks for your effort on this @jotak.
I am not sure why nobody is not denying neither approving this small piece of code.

I have two questions on my mind as well:

  1. I am also curious where Bitwarden does the URL domain input validation as somebody can create malicious alike URL-s or records to make Bitwarden act unproperly ?
  2. Is this modification manageble via managed_preferences.json as well? I am interested on this feature because t is unacceptable companies to let employees store internal network credentials to secret wallet.