Skip to content


Cross-subdomain login not supported by Chrome's Password Manager #278

TheFrozenFire opened this Issue · 2 comments

3 participants


This issue is only tangentially related to Reddit, but it was a change in Reddit that caused me to notice the issue, and it really is a result of Reddit implementing their login system in a way which skirts the edges of what's considered acceptable security practices.

I've opened a bug for Chromium which addresses the issue on their end, found at This might give a better understanding of why the issue is occurring.

The issue is that Chrom(e/ium)'s password manager is blocked when the origin of the dialog_form (what domain it's located on) is different from the host of the form's action. The purpose of this, in theory, is to block the password manager being exploited into providing stored credentials to other domains, in certain circumstances.

The way Reddit's login system seems to be implemented is that the form is located on, and the action of the form is Because of the way cookies work (see RFC 6265), this is bad design. In theory, cookies set by should not be available to Relatedly, form submissions from should are not necessarily in the "protected zone" of, so the password manager is forced to not provide login credentials to that form.

The solution to this would be to keep form actions for logins on the same subdomain as the forms themselves. Otherwise, browsers which implement password manager security like Chrom(e/ium) will not work.


Justin, thanks for your detailed writeup. We'll look into this.


One year latter... this is not an annoyance. It's a security issue, particularly with the lack of OAuth. I'm new to reddit, to be honest, this is a huge hit on your respectability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.