that’s really concerning because it bypasses a browser password manager security measure. Since the domain is the same but the server ip and the server’s https certificate chain is different, a poorly written password manager may auto-login or automatically send cookies to a website owned by a completely different entity on the same domain name. Big security flaw in domain name trust?