Actually, Linode is at fault here, probably because they’re not aware of the Public Suffix List (PSL). Maybe the password managers are also at fault for not adhering to the PSL, I’m not aware, but at least Linode should add themselves to it. If auto-fill is still happening afterwards, then we can blame the password managers.
The PSL allows you to specify whether you’re in control of all subdomains on your domain name. It’s also the reason why, for instance, if you try to add a wildcard in
externally_connectable when creating Chrome extension, you may get an error like:
The URL pattern must contain at least a second-level domain – that is, hostname patterns like ““, “.com”, “.co.uk”, and “.appspot.com” are prohibited.
Followed by you screaming “but appspot.com is a second-level domain!” at your monitor. But it’s not, because it has specifically been defined in the PSL to not be.
So no, the solution for the password managers isn’t to just disallow autofill on subdomains outright – the solution is to disallow autofill on subdomains that the primary domain owners aren’t in control over, and you can determine this by looking at the PSL.
So why is Lionde at fault here? Because they’re not in the PSL and they should be.
And just to make it clear that the PSL isn’t some unofficial pet project, it’s maintained by Mozilla and both Microsoft and Google have also officially added their own public domains to the list. If the browser vendors can agree on using it, so should your extension.