Okay, so two questions here.
I entered “amazon.com” as a login URI and Base Domain match detection which is defined as “the second-level domain plus the top-level domain of the given URI”. But when I go to login screen for “amazon.co.uk”, which has different TLD and different 2LD, the same login is offered. Why?
Since some countries such as UK and Japan have a commercial 2LD (.co.uk and .co.jp), wouldn’t all sites which end with those be recognized with the Base Domain setting?
Japan here:
.com and .co.jp have separate accounts I can’t use one on the other.
also, security-wise, I could register bankofamerica.co.xx and if what you expect was true, I could force your Bitwarden to fill in the password and my site would listen for the autofill and steal.
so this is bad for security.
I know Japanese Amazon uses a separate account. I’m not asking anything about Amazon, I used the site as an example for two different TLDs.
My question is how can Bitwarden recognize “amazon.co.uk” as an autofill if I entered “amazon.com” in the URI.
About your second reply, I don’t get what you’re trying to say. What do you mean by “bankofamerica.co.xx”?
What I asked is shouldn’t TLD (.uk) and 2LD (.co) include all sites which end with .co.uk?
This happens because amazon.co.uk and amazon.com are treated as “equivalent domains”. You can adjust these settings in the vault under the Settings > Domain Rule section in the web vault.
That makes sense, thanks!
About the second question, wouldn’t TLD and 2LD include all UK sites?
However, .co.jp and .cn are accounts separate to the identical account utilized across .com, .co.uk, and .ca, etcetera. If what @dabura667 states is true, they should not be treated as equivalent domains.
Easy resolution: What they stated is not true*. Just go to Account Settings > Domain Rules in the Web Vault (as explained by @kspearrin above) and you will be able to confirm that bankofamerica.com does not have any .co.jp or .cn equivalent under “Global Equivalent Domains”, and neither does amazon.com.
You also have the ability to remove entries from the “Global Equivalent Domains” list (or add your own under “Custom Equivalent Domains”) if you are concerned with security of any (or all) of the defined equivalences.
Furthermore, you can easily defeat all “Equivalent Domain” substitutions by setting the URI matching in your Login items to anything but the default “Base Domain” option.
*Edit: To be fair to @dabura667, I think that @BEEDELLROKEJULIANLOC and I both misinterpreted what they said. Upon re-reading the posts, I now understand that they were making the point that amazon.co.jp does not match amazon.com (as expected, because there is no global equivalence defined), and then they stated that there is no global equivalence between TLDs (e.g., .com = co.xx), because that would be “bad for security”. So, what @dabura667 said is in fact true, if correctly interpreted!