Added shared credentials for Digi

[revolter]

Overall Checklist

• I agree to the project's Developer Certificate of Origin
• The top-level JSON objects are sorted alphabetically
• There are no open pull requests for the same update

for password-rules.json

• The given rule isn't particularly standard and obvious for password managers
• Generated passwords have been tested from this rule using the Password Rules Validation Tool
• Information has been included about the website's requirements (eg. screenshots, error messages, steps during experimentation, etc.)
• The PR isn't documenting something that would be a common practice among password managers (e.g. minimal length of 6)

for change-password-URLs.json

• There is no Well-Known URL for Changing Passwords (https://example.com/.well-known/change-password)
• The URL either makes the experience better or no worse than being directed to just the domain in a non-logged-in state

for shared-credentials.json

• There's evidence the domains are currently related (SSL certificates, DNS entries, valid links between sites, legal documents etc.)

  digi.ro	digionline.ro
  https://who.is/whois/digi.ro	https://who.is/whois/digionline.ro

  • digiromania.ro redirects to digi.ro: https://digiromania.ro
  • rcs-rds.ro redirects to digi.ro: https://rcs-rds.ro
• If using shared, the new group serves login pages on each of the included domains, and those login pages accept accounts from the others. (For example, we wouldn't use a shared association from google.co.il to google.com, because google.co.il redirects to accounts.google.com for sign in.)
• If using from and to, the new group, the from domain(s) redirect to the to domain to log in.

for shared-credentials-historical.json

• You believe that the domains were associated at some point in the past and can explain that relationship

[rmondello]

One of the linters is failing because we currently don’t allow overlapping rules. I’m thinking about what to do with this.

[revolter]

Want some help?

[rmondello]

Maybe the expedient thing to do here is move “digionline.ro” into the “to” of the other rule, even if it’s not 100% accurate. What do you think?

[revolter]

Makes sense

[revolter]

Actually, digionline.ro is NOT obsoleted, so I'm not sure what implications does this change have.

Would

{
    "from": [
        "digionline.ro"
    ],
    "to": [
        "digi.ro"
    ]
},
{
    "from": [
        "digiromania.ro",
        "rcs-rds.ro"
    ],
    "to": [
        "digi.ro"
    ],
    "fromDomainsAreObsoleted": true
}

work?

[revolter]

Would <...> work?

Nope, it wouldn't work:

$ ruby .github/workflows/lint-scripts/websites-shared-credentials-duplicates.rb
The domain 'digi.ro' appears more than once!

:(

[rmondello]

I don't see digiromania.ro redirecting. When I load it, it shows a page at that domain!

[revolter]

Huh 🤔 Even in incognito?

$ curl --include digiromania.ro
HTTP/1.1 301 Moved Permanently
Date: Sat, 28 Sep 2024 07:24:40 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://www.digi.ro/
Server: RDS-WebServer v2

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

[rmondello]

Can you look into digiromania.ro not redirecting?

[rmondello]

Closing for now. Feel free to re-open if you're interested in trying to get this landed.

[revolter]

I do. I was waiting for a reply from you here: #772 (comment)