To give a concrete example: My accounts on community.bitwarden.com and bitwarden.com are different. On community.bitwarden.com, I do NOT want bitwarden.com username/password prompted (yep I store bitwarden.com username/password in bitwarden, I self-host, but chose to pay a subscription to support the devs).

Another example is Target’s Redcard: I have different accounts on target.com and rcam.target.com (the redcard manage website). I do NOT want my target.com username/password prompted when I access rcam.target.com.

Now I think this can be solved if the regular expression in Bitwarden supports negative lookbehind assertion, but the best I can come up with is

https:\/\/(?<!rcam[.])target[.]com\/.*

But it doesn’t seem to work on target.com (my target.com username/password is no longer prompted when accessing target.com).

Ah OK I figured this out: lookbehind assertion doesn’t capture anything. You’ll need to capture the subdomains as usual, but add the assertion in the middle.

This seems to work with my test:

^https:\/\/([a-z]+[.])?(?<!rcam[.])target[.]com\/.*

See the tester in regex101: regex101: build, test, and debug regex

To close the loop: it seems like I over engineered my solution.

For target.com, you only need to match host login.target.com and rcam.target.com respectively.

For bitwarden.com, you do the same host matching on vault.butwarden.com and community.bitwarden.com respectively.

I guess I can save the negative lookbehind trick in the future.