A mechanism for strict domain matching

[erynofwales]

I think it would be useful to allow a service that wants to send domain-bound codes to be able to opt into a stricter matching mechanism. Common examples that come to mind are hosting services or blog services that have user login on their TLD-plus-one and serve user content from subdomains. For example, Example Hosting Service has a login form on example.com and serves userA's content from userA.example.com.

Under our current matching scheme a code sent as @example.com #123456 would match example.com and userA.example.com since they're "same site" with each other. We should give these sites a way to express that they only want to match with example.com and no subdomains with a minimal amount of extra syntax. I think a natural extension of what we have so far is to use two @ signs as the field sigil. So, an SMS that reads @@example.com #123456 would match only example.com.

[hober]

IIRC one of the big advantages of using the @ character as the sigil is that it breaks auto-linkification of the hostname on most/all major platforms. Is that the case for double-@ too?

[erynofwales]

I did a quick test on iOS and @@ avoids linkifying, just like @ does. I think that's the case on Android too -- I tried testing on an Android device and it didn't linkify -- but I don't know for sure.