2021-07-05 UTC
# sknebel right. on a domain the imposter case is less obvious/common, so for our purposes it might be ok to not cover that (basically, if you combine it with path limits you say that you can't have less trusted things on subpaths of a URL. which is likely true for most personal sites, and can be made ok for many but not all other scenarios)