Open AverageHelper opened 1 month ago
Hi!
Is this intended behavior?
Yes, the goal was to make custom domains as simple as possible -- no configuration required inside of pgs.sh.
We see this as no different than someone having a domain point to an IP address of a known website they do not own or manage.
Having said said that, we could design an allowlist of custom domains for pgs.sh.
Fair enough! A simple config is super great tbh, and a valid default. An optional allowlist would be nice for the paranoid among us, tho that's not a dealbreaker for me using the platform.
Great, I'll add it to our shortlist.
It seems that pgs.sh relies entirely on DNS records to figure out which project to serve for a custom domain. This means that, given a site hosted on pgs.sh, anyone can:
dig the.domain.com
to confirm that aCNAME
record indeed points topgs.sh
,dig _pgs.the.domain.com TXT
to obtain the username and project name for that site,i-am-a-bad-person.com
) with matching records to point at the target project (per pgs.sh docs), thenIs this permissiveness intentional?
If not, or if there is some utility in allow-listing specific domains for the project (I'm no expert, but it seems misleading domain names could be a concern), could such a mechanism be added? Perhaps a special
.domains
or_domains
file, with a list of valid canonical domains separated by newlines, similar to Codeberg Pages?