The restriction was originally in place for security reasons. However, with the support of custom domains by the BN, it is now possible to extend this mechanism to include them while keeping the security level. @frederikrothenberger has even already outlined an idea for it. Nevertheless, since the stakeholders have not given this feature any priority, it may or may not be implemented in the future. I cannot tell. I’ve tried to move the topic multiple times last years.
I would very much like to have the possibility of custom domain canonical origins, It would open up a good few possibilities for our dApp such as backups etc.
I’m not sure how I could try push this feature forward other than voicing my support for it here. But I hope to see progress and the restriction removed.
Note that you don’t need to convince me; For instance, the inability to generate the same principal on customdomain.com and www.customdomain.com is quite awkward, to say the least.
It seems it would be a quick update maybe just removing the regex checks in this file:
Actually this regex cannot just be removed, there is a certain level of security to keep in place (I don’t have all the details in mind). This was discussed / reviewed with the security team.
That was also my first idea .
Ye that makes sense, It’s never as easy as it seems. Maybe @frederikrothenberger can advise on his idea in this scenario and / or the security situation surrounding this.
@dfxjesse: Yes, we can remove the regex, if we make sure in other ways that the /.well-known/ii-alternative-origins
asset is served from a canister (and hence has passed asset certification). This is a requirement by product security because they fear that identities might get stolen if we allow this asset to be served from web2.
But we have a solution for that: we can rely on the boundary nodes custom domains feature to verify that the URL is indeed backed by a canister.
I have (again) surfaced this issue to II product management so that it can hopefully be addressed in the upcoming sprints.
Thanks for your response,
Our custom domain is backed by a canister as I presume many others are on the IC (IE not on web2). So if there is some way the boundary nodes can verify this and we can remove that regex would be awesome.
Thanks for raising it with the II product management, I’ll keep an eye on this.
Note for anyone reading this thread. This feature has been live probably for a while already now. As long as /.well-known/ii-alternative-origins
is served from a canister II will accept it. So the canonical origin can be a custom domain.